[syslog-ng] Possible elementary question

Scheidler, Balázs balazs.scheidler at balabit.com
Thu Nov 10 08:13:35 UTC 2016 

I am not sure what generates iptables.log and what's the format. You
specified no-parse, which means that it will not try to parse timestamp
and/or hostnames from it, but take one line and stuff that into the $MSG
macro, in which case $HOST will be set to the name of the running host, at
least on the client box.

On the server box, you can split incoming messages using the
macro-capability of the file destination, e.g. you can do stuff like:

destination d_file {
   file("/var/log/${HOST}/syslog");
};

Which will cause all messages to be logged to a per-host file, you can also
include macros like $PROGRAM or both.

HTH,
Bazsi





-- 
Bazsi

On Thu, Nov 10, 2016 at 2:13 AM, Varugis Kurien <vkurien at midfinsystems.com>
wrote:

> I'm having some conniptions doing central logging using syslog-ng. Here is
> the scenario:
>
>    1. I generate logs using syslog-ng on local servers and then send them
>    to a log-destination server. Here is an example of some of the conf files
>    on the generating server:
>
> *more iptables.log.conf *
>
> *source s_var_log_iptables.log { file("/var/log/iptables.log"
> program-override(var_log_iptables.log) flags(no-parse)); }; log {
> source(s_var_log_iptables.log); destination(d_midfin_logger_2);  };*
>
>
> *more midfin_logger_2.conf *
>
>
>
>
>
>
>
> *template t_sdx_tagged {     template("$ISODATE $HOST $PROGRAM $MSG ");
>     template_escape(no); }; destination d_midfin_logger_2 { tcp(
> "10.4.16.161" port(514) template(t_sdx_tagged)); }; *
>
> What I am trying to do on the log host is to:
>
>
>    1. Segregate at the top level by host. For each such host:
>       1. Split the logs into different directories so that for example,
>       I'll have one directory for the audit log from that host, another for
>       iptables etc - so that under each host I'll have /var/log/iptables.log etc.
>
> I've been unable to grok the documentation to figure out quite how to do
> this and would really appreciate some help.
>
> thanks
> vk
> ==
>
>
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161110/67333ae0/attachment.html>

More information about the syslog-ng mailing list