[syslog-ng] Possible elementary question
Varugis Kurien
vkurien at midfinsystems.com
Thu Nov 10 17:07:17 UTC 2016
Yes, agree. I wanted to include local configuration so that it was clear what that was. I'll check today and confirm. BTW, since this scenario is likely to be a common scenario, I am more than willing to donate this to the FAQ so that it helps someone else as well.
________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Fekete, R?bert <robert.fekete at balabit.com>
Sent: Thursday, November 10, 2016 12:18:03 AM
To: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] Possible elementary question
Hi,
The configs in your mail refer to your local servers, and you want to segregate the logs on your central logserver into separate files.
For that, you have to use a file destination on the logserver that uses macros in its filename, something like:
destination d_file {
file("/var/log/${HOST}/${PROGRAM}.log");
};
(Though I'd recommend using some DATE macros as well)
For details, see https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/configuring-destinations-file.html
HTH,
Robert
On Thu, Nov 10, 2016 at 2:13 AM, Varugis Kurien <vkurien at midfinsystems.com<mailto:vkurien at midfinsystems.com>> wrote:
I'm having some conniptions doing central logging using syslog-ng. Here is the scenario:
1. I generate logs using syslog-ng on local servers and then send them to a log-destination server. Here is an example of some of the conf files on the generating server:
more iptables.log.conf
source s_var_log_iptables.log { file("/var/log/iptables.log" program-override(var_log_iptables.log) flags(no-parse)); };
log { source(s_var_log_iptables.log); destination(d_midfin_logger_2); };
more midfin_logger_2.conf
template t_sdx_tagged {
template("$ISODATE $HOST $PROGRAM $MSG
");
template_escape(no);
};
destination d_midfin_logger_2 { tcp( "10.4.16.161" port(514) template(t_sdx_tagged)); };
What I am trying to do on the log host is to:
1. Segregate at the top level by host. For each such host:
* Split the logs into different directories so that for example, I'll have one directory for the audit log from that host, another for iptables etc - so that under each host I'll have /var/log/iptables.log etc.
I've been unable to grok the documentation to figure out quite how to do this and would really appreciate some help.
thanks
vk
==
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20161110/21b9ae78/attachment.html>
More information about the syslog-ng
mailing list