Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Softpanorama Search

Configuring syslog-ng to send logs

News See also Recommended Links Manual Reference Recommended Papers Installation on Solaris 9
Options Configuring syslog-ng to send logs Filters Configuration Examples Tips History Humor

The configuration file for syslog-ng is /etc/syslog-ng.conf


Uncomment the following line and insert the machine address the logs are to be sent to : 

    destination loghost { udp("192.168.0.42" port(514)); };

Uncomment the following line : 

    log { source(src); filter(f_info); destination(loghost); };

To enable more comprehensive level of logging you may want to uncomment 2 more lines : 

    log { source(src); filter(f_syslog); destination(syslog); };
    log { source(src); filter(f_b-syslog); destination(syslog); };

To start syslog-ng issue the command /etc/init.d/sysklogd restart : 

    # /etc/init.d/sysklogd restart

Note: do not run klogd and syslog-ng fetching local kernel messages at the same time. It may cause syslog-ng to block which makes all logging local daemons unusable.

Old News

 

SyslogNG - EGEE-see WIki

Network Destinations

Network destinations allow us to forward messages to remote hosts using UDP or TCP. In our setup we define the backuphost as a destination. 

destination d_remote_backuphost {
       udp("backuphost");
};

Log Paths

Log paths are basically triples of sources, filters and destinations. Any message coming from any of the listed sources, matching the all the filters are sent to all listed destinations. In our setup we first forward the messages to backup host and then we store it to the appropriate file. 

# forward logs to backuphost
# This must be done first because of the final flags
# in all other log actions.
log {
        source(s_all);
        destination(d_remote_backuphost);
};

# log actions for grid programs for all hosts.
# The final flag guaranties that these logs will
# not be stored twice.
log{
        source(s_all);
        filter(f_prog_edg);
        destination(d_edgprogs);
        flags(final);
};
log{
        source(s_all);
        filter(f_prog_grid);
        destination(d_gridprogs);
        flags(final);
};

# loghost logs
log{
        source(s_all);
        filter(f_host_loghost);
        destination(d_loghost);
        flags(final);
};

# Grid hosts logs
log{
        source(s_all);
        filter(f_host_ui);
        destination(d_ui_facility);
        flags(final);
};

## here are placed similar entries
## for WNs, SEs, CE, MON, LFC, RB
## (...)

# this will identify any incoming logs that were
# ignored.
log{
       source(s_net);
       destination(d_fallback);
       flags(fallback);
};

Misc

 

[syslog-ng]Forwarding syslog messages to multiple UDP destination.

Balazs Scheidler bazsi@balabit.hu
Mon, 22 Jul 2002 15:51:41 +0200

 

On Mon, Jul 22, 2002 at 05:18:14AM -0700, Subodh Nijsure wrote:
> Hello,
> 
> I am trying to forward syslog messages to multiple IP destination,
> I tried using statements like
> 
> destination udp_forw { udp("192.168.58.150", port(514));
> udp("192.168.19.1", port(514)); };
> 
> And it doesn't work, it forwards messages to first destination, is this
> supposed to
> work the way I have put config statement?

this should work. can you show your config file (please strip unneeded
parts)

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1





 



 



Suse 10 syslog-ng definition 


#
# /etc/syslog-ng/syslog-ng.conf
#
# File format description can be found in syslog-ng.conf(5)
# and in /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
# NOTE: The SuSEconfig script and its syslog-ng.conf.in
#       configuration template aren't used any more.
#
#       Feel free to edit this file directly.
#
#       Additional log sockets for chroot environments can
#       be declared in the /etc/sysconfig/syslog file using
#               SYSLOGD_ADDITIONAL_SOCKET
#       variables. This way allows to define a socket from
#       RPM scripts and is used by several services, e.g.
#       bind and dhcpd.
#
#       The sockets defined in /etc/sysconfig/syslog file
#       are added by the /etc/ini.d/syslog init-script using
#       "-a path" command line options while syslog-ng is
#       started.
#
#       This syslog-ng contains an extension and appends the
#       sockets added by "-a" option to the same source group
#       and using the same socket type (unix-dgram) as the
#       "/dev/log" socket.
#       If one of the sockets added by "-a" option already
#       exists in any (other) source group in the config file,
#       then the socket added by "-a" option is ignored.
#

#
# Global options.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

#
# 'src' is our main source definition. you can add
# more sources driver definitions to it, or define
# your own sources, i.e.:
#
#source my_src { .... };
#
source src {
	#
	# include internal syslog-ng messages
	# note: the internal() soure is required!
	#
	internal();

	#
	# the default log socket for local logging:
	#
	unix-dgram("/dev/log");

	#
	# uncomment to process log messages from network:
	#
	#udp(ip("0.0.0.0") port(514));
};


#
# Filter definitions
#
filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid      { match('^\[acpid\]:'); };
filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };


#
# Most warning and errors on tty10 and on the xconsole pipe:
#
destination console  { file("/dev/tty10"    group(tty) perm(0620)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" group(tty) perm(0400)); };
log { source(src); filter(f_console); destination(xconsole); };

# Enable this, if you want that root is informed immediately,
# e.g. of logins:
#
#destination root { usertty("root"); };
#log { source(src); filter(f_alert); destination(root); };


#
# News-messages in separate files:
#
destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

#
# and optionally also all in one file:
# (don't forget to provide logrotation config)
#
#destination news { file("/var/log/news.all"); };
#log { source(src); filter(f_news); destination(news); };


#
# Mail-messages in separate files:
#
destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

#
# and also all in one file:
#
destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };

#
# acpid messages in one file:
#
destination acpid { file("/var/log/acpid"); };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };

#
# NetworkManager messages in one file:
#
destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

#
# Cron-messages in one file:
# (don't forget to provide logrotation config)
#
#destination cron { file("/var/log/cron"); };
#log { source(src); filter(f_cron); destination(cron); };

#
# Some boot scripts use/require local[1-7]:
#
destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };

#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };


#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };

#
# Enable this, if you want to keep all messages in one file:
# (don't forget to provide logrotation config)
#
#destination allmessages { file("/var/log/allmessages"); };
#log { source(src); destination(allmessages); };