[syslog-ng] log smtp mail messages to a specific file

Tue Jun 1 21:54:00 CEST 2010

On Tuesday 01 June 2010 21:10:24 Thanasis wrote:
> Postfix messages were logged in /var/log/messages.

[snip]

> I wanted to log postfix messages to a new file: /var/log/mail.log
> I changed /etc/syslog-ng/syslog-ng.conf like so:
> 
> # diff syslog-ng.conf.orig syslog-ng.conf
> 15a16,23
> 
> > filter mail {
> > 
> >     facility(mail);
> > 
> > };
> > 
> > filter notmail {
> > 
> >     not facility(mail);
> > 
> > };
> 
> 22a31
> 
> > destination mail { file("/var/log/mail.log"); };
> 
> 31,32c40,42
> < log { source(src); destination(messages); };
> < log { source(src); destination(console_all); };
> ---
> 
> > log { source(src); filter(mail); destination(mail); };
> > log { source(src); filter(notmail); destination(messages); };
> > log { source(src); filter(notmail); destination(console_all); };
> 
> ----------------------------------------------------------------------
> 
> It worked, or at least I think so, by looking at both /var/log/messages
> and /var/log/mail.log.
> 
> So ,my questions are:
> 1) Are my edits OK? Did I do anything wrong?
> 2) Should I have configured it otherwise, perhaps more efficiently?

Hi,

Your edits are fine, that will work. It gets complex, but that is unavoidable. 
Your method has the advantage that you can re-arrange the order of your config 
stanzas and the end result will be the same.

There is a slightly more efficient way, and that is to use the "final" option 
in your mail log statement and leave everything else as it was, with the 
messages log statement at the end. Processing stops when a final is reached, 
meaning that mail logs will never reach the config that sends them to 
messages.

I don't recommend this route for your case though, as:

- The order of log statements becomes critical, so not only do you have to 
specify your filters correctly, you also have to *place* them correctly too.

- Other people maintaining your config have to know you did this and take it 
into account. There are few things more annoying than being forced to 
understand the whole thing completely to just modify one part of it

- You *will* forget you did this! (ask me how I know this....) and you will 
break stuff. A mistake in a config means lost logs. Lost logs means you never 
get them back...

There are cases where "final" is appropriate (I use it myself) but it has to 
be used carefully and with caution

-- 
Alan McKinnon
Systems Engineer^W Technician
Infrastructure Services
Internet Solutions

+27 11 575 7585

Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you.