[syslog-ng] newbie question

Groups groups at obsd.us
Fri Dec 14 19:21:03 CET 2012 

Newbie question
My Goals (2)
To replace the current CentOS 5.x log server with a SL 6.x syslog-ng server.
***************************************
***************************************
Goal 1
  To have all Linux servers log by the following:

All Linux servers are running either syslog or rsyslog
- Accept logs from Linux servers and separate them
to
messages.$YEAR$MONTH$DAY
secure.$YEAR$MONTH$DAY
maillog.$YEAR$MONTH$DAY

messages can be a 'catchall'
==================
My success on Linux servers...
The mods in the syslog-ng.conf  I have for Linux servers does work but 
catches everything.
***************************************
***************************************
Goal 2
To have all (Cisco) switches / routers log according to their current 
syslog settings
Current syslog server uses /etc/hosts to log the following.

Receive logging messages from network devices (Router/Switch/VPN) to 3 files
#based on priority
local4.err 
/var/log/NetLog/NetDeverr
local4.notice,local4.!err 
/var/log/NetLog/NetDevnote
local4.=debug,local4.=info 
/var/log/NetLog/NetDevdebug

#Receive logging messages from all other devices to 3 files based on 
priority
syslog.err 
/var/log/OtherLog/OthDeverr
syslog.notice,syslog.!err 
/var/log/OtherLog/OthDevnote
syslog.=debug,syslog.=info 
/var/log/OtherLog/OthDevdebug

#Receive logging messages from all wireless devices to 3 files based on 
priority
local3.err 
/var/log/NetLog/Wirelesserr
local3.notice,local3.!err 
/var/log/NetLog/Wirelessnote
local3.=debug,local3.=info 
/var/log/NetLog/Wirelessdebug

#Receive logging messages from all UPS's to 3 files based on priority
local5.err 
/var/log/UPSLog/UPSerr
local5.notice,local5.!err 
/var/log/UPSLog/UPSnote
local5.=debug,local5.=info 
/var/log/UPSLog/UPSdebug
***************************************

Thx for any pointers.
tk

---------------------
rsyslog is turned off
--
OS: Scientific Linux 6.2 (RHEL 6 clone)
--
#syslog-ng -V
syslog-ng 3.2.5
Installer-Version: 3.2.5
Revision: 
ssh+git://bazsi@git.balabit//var/scm/git/syslog-ng/syslog-ng-ose--mainline--3.2#master#9d4bea28198bd731df1a61e980a2af5b88d81116
Compile-Date: Jan 15 2012 19:52:28
Enable-Threads: on
Enable-Debug: off
Enable-GProf: off
Enable-Memtrace: off
Enable-Sun-STREAMS: off
Enable-IPv6: on
Enable-Spoof-Source: on
Enable-TCP-Wrapper: on
Enable-SSL: off
Enable-SQL: on
Enable-Linux-Caps: off
Enable-Pcre: on
Enable-Pacct: off
--

syslog-ng.conf (out of the box) with one change create_dirs (yes);
---------------------
@version:3.2

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
         flush_lines (0);
         time_reopen (10);
         log_fifo_size (1000);
         long_hostnames (off);
         use_dns (no);
         use_fqdn (no);
         create_dirs (yes);
         keep_hostname (yes);
};

source s_sys {
         file ("/proc/kmsg" program_override("kernel: "));
         unix-stream ("/dev/log");
         internal();
         # udp(ip(0.0.0.0) port(514));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                         not (facility(mail)
                         or facility(authpriv)
                         or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                         (facility(news)
                         and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

## Begin Mods
source s_udp { udp( flags(no-parse) ); };# An UDP source
source s_tcp { tcp( flags(no-parse) ); };# An TCP source

######   Filter statements   #######
### Linux logs
filter f_mailhost   {host(172.25.85.41); };
filter f_merlin   {host(172.25.45.10); };
######   Destination statements   #######

destination d_linux_servers 
{file("/var/log/devices/linux_servers/$HOST/log.$YEAR$MONTH$DAY"); };

######   Log statements   #######
### Linux servers
log {source(s_udp); filter(f_merlin); destination(d_linux_servers); };
log {source(s_udp); filter(f_mailhost); destination(d_linux_servers); };

---------------------

Thx

More information about the syslog-ng mailing list