[syslog-ng] file("/proc/kmsg" program_override("kernel: "));

[Gergely Nagy]

Tom <tommedema at gmail.com> writes:

> Dear all,
>
> I just started using syslog-ng to pipe log files to Loggly.com.
>
> I have a couple of questions.
>
> First of all, why is there a `: ` after kernel here?

I do not know why there is a ': ' - my reading of the program_override()
docs (see the admin guide link below) suggests that it should be
'kernel' alone.

> file("/proc/kmsg" program_override("kernel: "));
>
> I have seen people do it differently, like so:
>
> file("/proc/kmsg" program_override("kernel));
>
> Does this matter? And more general, what does the entire rule do
> exactly?

program_override() does as the name suggests: it makes the logs coming
from /proc/kmsg appear as if they were sent by a program called "kernel"
(if I remember correctly, kmsg does not have a program field by
default).

> The following is my syslog-ng.conf file:
>
> https://gist.github.com/2819768
>
> As you can see, I have a lot of log files. Is this the proper way of
> doing this? Doesn't it cost a lot of resources for syslog-ng to check
> all these files for changes?

That's not really a lot, but nevertheless, until such time that wildcard
source supports lands in syslog-ng OSE, the way you do it is the proper
way. As for the cost of watching changes: it's not all that high. On
modern systems, epoll() or similar will be used, which was meant to make
it efficient to watch a high number of sources for changes. Each active
file adds a little bit of extra work, to be sure, but under a couple of
hundred files, it shouldn't matter much, if at all.

> Finally, where can I find the documentation? Eg. I would like to learn
> about the specifics of follow_freq and what the parameter actually
> implies.

We have a detailed admin guide available at:
 https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-3.3-guides/syslog-ng-ose-v3.3-guide-admin-en.html/bk01-toc.html

The man pages shipped with syslog-ng itself should mention it too.

-- 
|8]