1
#----------------------------------------------------------------------
2
# Program: syslog-ng.conf
3
# Notes: Embedded most of the manual notes within the configuration
4
# file. The original manual can be found at:
6
# http://www.balabit.com/products/syslog_ng/reference/book1.html
7
# http://www.campin.net/syslog-ng/faq.html
9
# Many people may find placing all of this information in a
10
# configuration file a bit redundant, but I have found that
11
# with a little bit of extra comments and reference,
12
# maintaining these beasties is much easier.
14
# This particular log file was taken from the examples that
15
# are given at the different web sites, and made to emulate
16
# the logs of a Mandrake Linux system as much as possible.
17
# Of course, Unix is Unix, is Linux. It should be generic
18
# enough for any Unix system.
19
#----------------------------------------------------------------------
20
# 16-Mar-03 - REP - Added some extra definitions to the file.
21
# 15-Mar-03 - REP - Added back the comments on filtering.
22
# 27-Feb-03 - REP - Further modified for local environment.
23
# 27-Feb-03 - REP - Updated for new configuration and version 1.6.0
24
# 12-Dec-02 - REP - Continued updates for writing to databases.
25
# 30-Nov-02 - REP - Initial creation for testing.
27
#----------------------------------------------------------------------
29
#----------------------------------------------------------------------
31
# Name Values Description
32
# ------------------------- ------- ------------------------------------
33
# bad_hostname reg exp A regexp which matches hostnames
34
# which should not be taken as such.
35
# chain_hostnames y/n Enable or disable the chained
37
# create_dirs y/n Enable or disable directory creation
38
# for destination files.
42
# dns_cache y/n Enable or disable DNS cache usage.
43
# dns_cache_expire num Number of seconds while a successful
45
# dns_cache_expire_failed num Number of seconds while a failed
47
# dns_cache_size num Number of hostnames in the DNS cache.
48
# gc_busy_threshold num Sets the threshold value for the
49
# garbage collector, when syslog-ng is
50
# busy. GC phase starts when the number
51
# of allocated objects reach this
52
# number. Default: 3000.
53
# gc_idle_threshold num Sets the threshold value for the
54
# garbage collector, when syslog-ng is
55
# idle. GC phase starts when the number
56
# of allocated objects reach this
57
# number. Default: 100.
59
# keep_hostname y/n Enable or disable hostname rewriting.
60
# This means that if the log entry had
61
# been passed through at least one other
62
# logging system, the ORIGINAL hostname
63
# will be kept attached to the log.
64
# Otherwise the last logger will be
65
# considered the log entry owner and
66
# the log entry will appear to have
67
# come from that host.
68
# log_fifo_size num The number of lines fitting to the
70
# log_msg_size num Maximum length of message in bytes.
71
# long_hostnames on/off This options appears to only really
72
# have an affect on the local system.
73
# which removes the source of the log.
74
# As an example, normally the local
75
# logs will state src@hostname, but
76
# with this feature off, the source
78
# mark num The number of seconds between two
79
# MARK lines. NOTE: not implemented
83
# stats num The number of seconds between two
85
# sync num The number of lines buffered before
87
# time_reap num The time to wait before an idle
88
# destination file is closed.
89
# time_reopen num The time to wait before a died
90
# connection is reestablished
91
# use_dns y/n Enable or disable DNS usage.
92
# syslog-ng blocks on DNS queries,
93
# so enabling DNS may lead to a
94
# Denial of Service attack. To
95
# prevent DoS, protect your
96
# syslog-ng network endpoint with
97
# firewall rules, and make sure that
98
# all hosts, which may get to
99
# syslog-ng is resolvable.
100
# use_fqdn y/n Add Fully Qualified Domain Name
101
# instead of short hostname.
102
# use_time_recvd y/n Use the time a message is
103
# received instead of the one
104
# specified in the message.
105
#----------------------------------------------------------------------
106
# 15-Mar-03 - REP - Since some of the clocks are not quite right, we
107
# are going to go ahead and just use the local time
108
# as the master time.
109
# 12-Mar-03 - REP - We have taken a few configuration options from the
110
# newer Solaris configuration because some of the
111
# reasons are valid for us as well. We have increased
112
# the log_msg_size and log_fifo_size to increase the
113
# amount of buffering that we do. While for most
114
# systems this may not have a noticeable affect, it
115
# will for systems that are at the end of a lot of
117
# 20-Dec-02 - REP - Changed the stat() time from the default of 10
118
# minutes to once an hour.
119
#----------------------------------------------------------------------
138
#----------------------------------------------------------------------
140
#----------------------------------------------------------------------
142
# fifo/pipe - The pipe driver opens a named pipe with the
143
# specified name, and listens for messages. It's
144
# used as the native message getting protocol on
146
# file - Usually the kernel presents its messages in a
147
# special file (/dev/kmsg on BSDs, /proc/kmsg on
148
# Linux), so to read such special files, you'll need
149
# the file() driver. Please note that you can't use
150
# this driver to follow a file like tail -f does.
151
# internal - All internally generated messages "come" from this
152
# special source. If you want warnings, errors and
153
# notices from syslog-ng itself, you have to include
154
# this source in one of your source statements.
155
# sun-streams - Solaris uses its STREAMS API to send messages to
156
# the syslogd process. You'll have to compile
157
# syslog-ng with this driver compiled in (see
158
# ./configure --help).
160
# Newer versions of Solaris (2.5.1 and above), uses a
161
# new IPC in addition to STREAMS, called door to
162
# confirm delivery of a message. Syslog-ng supports
163
# this new IPC mechanism with the door() option.
165
# The sun-streams() driver has a single required
166
# argument, specifying the STREAMS device to open and
168
# tcp/udp - These drivers let you receive messages from the
169
# network, and as the name of the drivers show, you
170
# can use both UDP and TCP as transport.
172
# UDP is a simple datagram oriented protocol, which
173
# provides "best effort service" to transfer
174
# messages between hosts. It may lose messages, and
175
# no attempt is made to retransmit such lost
176
# messages at the protocol level.
178
# TCP provides connection-oriented service, which
179
# basically means a flow-controlled message pipeline.
180
# In this pipeline, each message is acknowledged, and
181
# retransmission is done for lost packets. Generally
182
# it's safer to use TCP, because lost connections can
183
# be detected, and no messages get lost, but
184
# traditionally the syslog protocol uses UDP.
186
# None of tcp() and udp() drivers require positional
187
# parameters. By default they bind to 0.0.0.0:514,
188
# which means that syslog-ng will listen on all
189
# available interfaces, port 514. To limit accepted
190
# connections to one interface only, use the
191
# localip() parameter as described below.
195
# Name Type Description Default
196
# -------------- ------ -------------------------------- --------
197
# ip or local ip string The IP address to bind to. Note 0.0.0.0
198
# that this is not the address
199
# where messages are accepted
201
# keep-alive y/n Available for tcp() only, and yes
202
# specifies whether to close
203
# connections upon the receival
204
# of a SIGHUP signal.
205
# max-connections number Specifies the maximum number of 10
206
# simultaneous connections.
207
# port or local port number The port number to bind 514
209
# -------------- ------ -------------------------------- --------
211
# unix-stream - unix-dgram - These two drivers behave similarly:
212
# they open the given AF_UNIX socket, and start
213
# listening on them for messages. unix-stream() is
214
# primarily used on Linux, and uses SOCK_STREAM
215
# semantics (connection oriented, no messages are
216
# lost), unix-dgram() is used on BSDs, and uses
217
# SOCK_DGRAM semantics, this may result in lost
218
# local messages, if the system is overloaded.
220
# To avoid denial of service attacks when using
221
# connection-oriented protocols, the number of
222
# simultaneously accepted connections should be
223
# limited. This can be achieved using the
224
# max-connections() parameter. The default value of
225
# this parameter is quite strict, you might have to
226
# increase it on a busy system.
228
# Both unix-stream and unix-dgram has a single
229
# required positional argument, specifying the
230
# filename of the socket to create, and several
231
# optional parameters.
235
# Name Type Description Default
236
# -------------- ------ -------------------------------- --------
237
# group string Set the gid of the socket. root
238
# keep-alive y/n Selects whether to keep yes
239
# connections opened when
240
# syslog-ng is restarted, can be
241
# used only with unix-stream().
242
# max-connections numb Limits the number of 10
243
# simultaneously opened
244
# connections. Can be used only
245
# with unix-stream().
246
# owner string Set the uid of the socket. root
247
# perm num Set the permission mask. For 0666
248
# octal numbers prefix the number
249
# with '0', e.g. use 0755 for
251
#----------------------------------------------------------------------
252
# Notes: For Linux systems (and especially RedHat derivatives),
253
# they have a second logging process for kernel messages.
254
# This source is /proc/kmsg. If you are running this on a
255
# system that is not Linux, then the source entry for this
258
# It seems that there is some performance questions related
259
# to what type of source stream should be used for Linux
260
# boxes. The documentation states the /dev/log should use
261
# unix-stream, but from the mailing list it has been
262
# strongly suggested that unix-dgram be used.
264
# WARNING: TCP wrappers has been enabled for this system, and unless
265
# you also place entries in /etc/hosts.allow for each of the
266
# devices that will be delivering logs via TCP, you will
267
# NOT receive the logs.
269
# Also note that if there is any form of a local firewall,
270
# this will also need to be altered such that the incoming
271
# and possibly outgoing packets are allowed by the firewall
273
#----------------------------------------------------------------------
274
# There has been a lot of debate on whether everything should be put
275
# to a single source, or breakdown all the sources into individual
276
# streams. The greatest flexibility would be in many, but the most
277
# simple is the single. Since we wrote this file, we have chosen the
278
# route of maximum flexibility.
280
# For those of you that like simplicity, this could have also been
281
# done as the follows:
286
# pipe("/proc/kmsg" log_prefix("kernel: "));
287
# tcp(ip(127.0.0.1) port(4800) keep-alive(yes));
289
# unix-stream("/dev/log");
292
# You would also have to change all the log statements to only
293
# reference the now single source stream.
294
#----------------------------------------------------------------------
295
# 16-Mar-03 - REP - The default number of allowed TCP connects is set
296
# very low for a logserver. This value should only
297
# be set greater than the default for servers that
298
# will actually be serving that many systems.
299
#----------------------------------------------------------------------
301
{ unix-dgram("/dev/log"); };
307
{ pipe("/proc/kmsg" log_prefix("kernel: ")); };
310
{ tcp(port(4800) keep-alive(yes) max_connections(100)); };
312
#----------------------------------------------------------------------
314
#----------------------------------------------------------------------
316
# fifo/pipe - This driver sends messages to a named pipe like
319
# The pipe driver has a single required parameter,
320
# specifying the filename of the pipe to open, and
322
# file - The file driver is one of the most important
323
# destination drivers in syslog-ng. It allows you to
324
# output messages to the named file, or as you'll see
327
# The destination filename may include macros which
328
# gets expanded when the message is written, thus a
329
# simple file() driver may result in several files
330
# to be created. Macros can be included by prefixing
331
# the macro name with a '$' sign (without the quotes),
332
# just like in Perl/PHP.
334
# If the expanded filename refers to a directory
335
# which doesn't exist, it will be created depending
336
# on the create_dirs() setting (both global and a per
337
# destination option)
339
# WARNING: since the state of each created file must
340
# be tracked by syslog-ng, it consumes some memory
341
# for each file. If no new messages are written to a
342
# file within 60 seconds (controlled by the time_reap
343
# global option), it's closed, and its state is freed.
345
# Exploiting this, a DoS attack can be mounted against
346
# your system. If the number of possible destination
347
# files and its needed memory is more than the amount
348
# your logserver has.
350
# The most suspicious macro is $PROGRAM, where the
351
# possible variations is quite high, so in untrusted
352
# environments $PROGRAM usage should be avoided.
357
# ----------------- -----------------------------------------------
358
# DATE Date of the transaction.
359
# DAY The day of month the message was sent.
360
# FACILITY The name of the facility, the message is tagged
362
# FULLDATE Long form of the date of the transaction.
363
# FULLHOST Full hostname of the system that sent the log.
364
# HOST The name of the source host where the message
365
# is originated from. If the message traverses
366
# several hosts, and chain_hostnames() is on,
367
# the first one is used.
368
# HOUR The hour of day the message was sent.
369
# ISODATE Date in ISO format.
370
# MIN The minute the message was sent.
371
# MONTH The month the message was sent.
372
# MSG or MESSAGE Message contents.
373
# PRIORITY or LEVEL The priority of the message.
374
# PROGRAM The name of the program the message was sent by.
375
# SEC The second the message was sent.
376
# TAG The priority and facility encoded as a 2 digit
377
# hexadecimal number.
378
# TZ The time zone or name or abbreviation. e.g. 'PDT'
379
# TZOFFSET The time-zone as hour offset from GMT. e.g.
381
# WEEKDAY The 3-letter name of the day of week the
382
# message was sent, e.g. 'Thu'.
383
# YEAR The year the message was sent. Time expansion
384
# macros can either use the time specified in
385
# the log message, e.g. the time the log message
386
# is sent, or the time the message was received
387
# by the log server. This is controlled by the
388
# use_time_recvd() option.
389
# ----------------- -----------------------------------------------
393
# Name Type Description Default
394
# -------------- ------ -------------------------------- --------
395
# compress y/n Compress the resulting logfile global
396
# using zlib. NOTE: this is not setting
397
# implemented as of 1.3.14.
398
# reate_dirs y/n Enable creating non-existing no
400
# dir_perm num The permission mask of 0600
401
# directories created by
402
# syslog-ng. Log directories are
403
# only created if a file after
404
# macro expansion refers to a
405
# non-existing directory, and dir
406
# creation is enabled using
408
# encrypt y/n Encrypt the resulting file. global
409
# NOTE: this is not implemented as setting
411
# fsync y/n Forces an fsync() call on the
412
# destination fd after each write.
413
# Note: this may degrade
414
# performance seriously
415
# group string Set the group of the created root
416
# filename to the one specified.
417
# log_fifo_size num The number of entries in the global
418
# output fifo. setting
419
# owner string Set the owner of the created root
420
# filename to the one specified.
421
# perm num The permission mask of the file 0600
422
# if it is created by syslog-ng.
423
# remove_if_older num If set to a value higher than 0, 0
424
# before writing to a file,
425
# syslog-ng checks whether this
426
# file is older than the specified
427
# amount of time (specified in
428
# seconds). If so, it removes the
429
# existing file and the line to
430
# be written is the first line in
431
# a new file with the same name.
432
# In combination with e.g. the
433
# $WEEKDAY macro, this is can be
434
# used for simple log rotation,
435
# in case not all history need to
437
# sync_freq num The logfile is synced when this global
438
# number of messages has been setting
440
# template string Specifies a template which
441
# specifies the logformat to be
442
# used in this file. The possible
443
# macros are the same as in
444
# destination filenames.
445
# template_escape y/n Turns on escaping ' and " in yes
446
# templated output files. It is
447
# useful for generating SQL
448
# statements and quoting string
449
# contents so that parts of your
450
# log message don't get
451
# interpreted as commands to the
453
# -------------- ------ -------------------------------- --------
455
# program - This driver fork()'s executes the given program with
456
# the given arguments and sends messages down to the
457
# stdin of the child.
459
# The program driver has a single required parameter,
460
# specifying a program name to start and no options.
461
# The program is executed with the help of the current
462
# shell, so the command may include both file patterns
463
# and I/O redirection, they will be processed.
465
# NOTE: the program is executed once at startup, and
466
# kept running until SIGHUP or exit. The reason is to
467
# prevent starting up a large number of programs for
468
# messages, which would imply an easy DoS.
469
# tcp/udp - This driver sends messages to another host on the
470
# local intranet or internet using either UDP or TCP
473
# Both drivers have a single required argument
474
# specifying the destination host address, where
475
# messages should be sent, and several optional
476
# parameters. Note that this differs from source
477
# drivers, where local bind address is implied, and
478
# none of the parameters are required.
482
# Name Type Description Default
483
# -------------- ------ -------------------------------- --------
484
# localip string The IP address to bind to before 0.0.0.0
485
# connecting to target.
486
# localport num The port number to bind to. 0
487
# port/destport num The port number to connect to. 514
488
# -------------- ------ -------------------------------- --------
489
# usertty - This driver writes messages to the terminal of a
492
# The usertty driver has a single required argument,
493
# specifying a username who should receive a copy of
494
# matching messages, and no optional arguments.
495
# unix-dgram - unix-stream - This driver sends messages to a unix
496
# socket in either SOCK_STREAM or SOCK_DGRAM mode.
498
# Both drivers have a single required argument
499
# specifying the name of the socket to connect to, and
500
# no optional arguments.
501
#----------------------------------------------------------------------
503
#----------------------------------------------------------------------
504
# Standard Log file locations
505
#----------------------------------------------------------------------
506
destination authlog { file("/var/log/auth.log"); };
507
destination bootlog { file("/var/log/boot.log"); };
508
destination debug { file("/var/log/debug"); };
509
destination explan { file("/var/log/explanations"); };
510
destination messages { file("/var/log/messages"); };
511
destination routers { file("/var/log/routers.log"); };
512
destination secure { file("/var/log/secure"); };
513
destination spooler { file("/var/log/spooler"); };
514
destination syslog { file("/var/log/syslog"); };
515
destination user { file("/var/log/user.log"); };
517
#----------------------------------------------------------------------
518
# Special catch all destination sorting by host
519
#----------------------------------------------------------------------
520
destination hosts { file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY"
521
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
523
#----------------------------------------------------------------------
524
# Forward to a loghost server
525
#----------------------------------------------------------------------
526
#destination loghost { udp("10.1.1.254" port(514)); };
528
#----------------------------------------------------------------------
529
# Mail subsystem logs
530
#----------------------------------------------------------------------
531
destination mail { file("/var/log/mail.log"); };
532
destination mailerr { file("/var/log/mail/errors"); };
533
destination mailinfo { file("/var/log/mail/info"); };
534
destination mailwarn { file("/var/log/mail/warnings"); };
536
#----------------------------------------------------------------------
538
#----------------------------------------------------------------------
539
destination newscrit { file("/var/log/news/critical"); };
540
destination newserr { file("/var/log/news/errors"); };
541
destination newsnotice { file("/var/log/news/notice"); };
542
destination newswarn { file("/var/log/news/warnings"); };
544
#----------------------------------------------------------------------
546
#----------------------------------------------------------------------
547
destination cron { file("/var/log/cron.log"); };
548
destination crondebug { file("/var/log/cron/debug"); };
549
destination cronerr { file("/var/log/cron/errors"); };
550
destination croninfo { file("/var/log/cron/info"); };
551
destination cronwarn { file("/var/log/cron/warnings"); };
553
#----------------------------------------------------------------------
555
#----------------------------------------------------------------------
556
destination lpr { file("/var/log/lpr.log"); };
557
destination lprerr { file("/var/log/lpr/errors"); };
558
destination lprinfo { file("/var/log/lpr/info"); };
559
destination lprwarn { file("/var/log/lpr/warnings"); };
561
#----------------------------------------------------------------------
563
#----------------------------------------------------------------------
564
destination kern { file("/var/log/kern.log"); };
565
destination kernerr { file("/var/log/kernel/errors"); };
566
destination kerninfo { file("/var/log/kernel/info"); };
567
destination kernwarn { file("/var/log/kernel/warnings"); };
569
#----------------------------------------------------------------------
571
#----------------------------------------------------------------------
572
destination daemon { file("/var/log/daemon.log"); };
573
destination daemonerr { file("/var/log/daemons/errors"); };
574
destination daemoninfo { file("/var/log/daemons/info"); };
575
destination daemonwarn { file("/var/log/daemons/warnings"); };
577
#----------------------------------------------------------------------
579
#----------------------------------------------------------------------
580
destination console { file("/dev/tty12"); };
582
#----------------------------------------------------------------------
584
#----------------------------------------------------------------------
585
destination users { usertty("*"); };
587
#----------------------------------------------------------------------
588
# Examples of programs that accept syslog messages and do something
589
# programatically with them.
590
#----------------------------------------------------------------------
591
#destination mail-alert { program("/usr/local/bin/syslog-mail"); };
592
#destination mail-perl { program("/usr/local/bin/syslog-mail-perl"); };
594
#----------------------------------------------------------------------
596
#----------------------------------------------------------------------
597
#destination swatch { program("/usr/bin/swatch --read-pipe=\"cat /dev/fd/0\""); };
599
#----------------------------------------------------------------------
602
# Overall there seems to be three primary methods of putting data from
603
# syslog-ng into a database. Each of these has certain pros and cons.
605
# FIFO file: Simply piping the template data into a First In, First
606
# Out file. This will create a stream of data that will
607
# not require any sort of marker or identifier of how
608
# much data has been read. This is the most elegant of
609
# the solutions and probably the most unstable.
611
# Pros: Very fast data writes and reads. Data being
612
# inserted into a database will be near real
615
# Cons: Least stable of all the possible solutions,
616
# and could require a lot of custom work to
617
# make function on any particular Unix system.
619
# Loss of the pipe file will cause complete
620
# data loss, and all following data that would
621
# have been written to the FIFO file.
623
# Buffer file: While very similar to a FIFO file this is would be a
624
# text file which would buffer all the template
625
# output information. Another program from cron or
626
# similar service would then run and source the buffer
627
# files and process the data into the database.
629
# Pros: Little chance of losing data since everything
630
# will be written to a physical file much like
631
# the regular logging process.
633
# This method gives a tremendous amount of
634
# flexibility since there would be yet another
635
# opportunity to filter logs prior to inserting
636
# any data into the database.
638
# Cons: Because there must be some interval between
639
# the processing of the buffer files, there will
640
# be a lag before the data is inserted in to the
643
# There is also a slight chance of data corruption
644
# (ie bad insert command) if the system crashes
645
# during a write, although this scenero is very
648
# Another possible issue is that because multiple
649
# buffer files be written, the previously run
650
# sourcing file could get behind the data
651
# insertion if there is a very large quantity of
652
# logs being written. This will totally depend
653
# on the system that this is running on.
655
# Program: The least elegant of the solutions. This method is to
656
# send the stream of data through some further interrupter
657
# program such as something in Perl or C. That program
658
# will then take some action based off the data which
659
# could include writing to a database similarly to the
660
# program "sqlsyslogd".
662
# Pros: Allows complete control of the data, and as much
663
# post processing as required.
665
# Cons: Slowest of all the forms. Since the data will
666
# have to go through some post processing it will
667
# cause data being written to the database to
668
# remain behind actual log records. This could
669
# cause a race condition in that logging is lost
670
# either due to system crash, or high load on
671
# the logging system.
673
#----------------------------------------------------------------------
675
#----------------------------------------------------------------------
676
# Writing to a MySQL database:
678
# Assumes a table/database structure of:
680
# CREATE DATABASE syslog;
683
# CREATE TABLE logs ( host varchar(32) default NULL,
684
# facility varchar(10) default NULL,
685
# priority varchar(10) default NULL,
686
# level varchar(10) default NULL,
687
# tag varchar(10) default NULL,
688
# date date default NULL,
689
# time time default NULL,
690
# program varchar(15) default NULL,
691
# msg text, seq int(10) unsigned NOT NULL auto_increment,
695
# KEY program (program),
698
# KEY priority (priority),
699
# KEY facility (facility))
702
#----------------------------------------------------------------------
704
#----------------------------------------------------------------------
705
#destination database { pipe("/tmp/mysql.pipe"
706
# template("INSERT INTO logs (host, facility,
707
# priority, level, tag, date, time, program,
708
# msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY',
709
# '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY',
710
# '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
711
# template-escape(yes)); };
713
#----------------------------------------------------------------------
715
#----------------------------------------------------------------------
716
destination database { file("/var/log/dblog/fulllog.$YEAR.$MONTH.$DAY.$HOUR.$MIN.$SEC"
717
template("INSERT INTO logs (host, facility,
718
priority, level, tag, date, time, program,
719
msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY',
720
'$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY',
721
'$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n")
722
owner(root) group(root) perm(0600)
723
dir_perm(0700) create_dirs(yes)
724
template-escape(yes)); };
726
#----------------------------------------------------------------------
727
# Program method (alternate using sqlsyslogd):
729
# Notes: This is not a bad process, but lacks very much flexibility
730
# unless more changes are made to the source of sqlsyslogd.
731
# This is because sqlsyslogd assumes the data in a larger
732
# object style instead of breaking it down into smaller
734
#----------------------------------------------------------------------
735
#destination database { program("/usr/local/sbin/sqlsyslogd -u
736
# sqlsyslogd -t logs sqlsyslogs2 -p"); };
738
#----------------------------------------------------------------------
739
# Since we probably will not be putting ALL of our logs in the database
740
# we better plan on capturing that data that we will be discarding for
741
# later review to insure we did not throw anything away we really
742
# should have captured.
743
#----------------------------------------------------------------------
744
destination db_discard { file("/var/log/discard.log"); };
746
#----------------------------------------------------------------------
748
#----------------------------------------------------------------------
752
# Name Synopsis Description
753
# -------------- ------------------------------ --------------------
754
# facility facility(facility[,facility]) Match messages
756
# listed facility code.
757
# filter Call another filter rule and
759
# host host(regexp) Match messages by
764
# level/priority level(pri[,pri1..pri2[,pri3]]) Match messages based
766
# match Tries to match a regular
767
# expression to the message
769
# program program(regexp) Match messages by
773
# field of log messages
774
#----------------------------------------------------------------------
777
# Getting filtering to work right can be difficult because while the
778
# syntax is fairly simple, it is not well documented. To illustrate
779
# a brief lesson on filtering and to explain the majority of the
780
# mechanics, we shall use the filter from the PostgreSQL database
781
# how-to page found at: http://www.umialumni.com/~ben/SYSLOG-DOC.html
783
# This is a perfect and somewhat complex example to use. In its
784
# original form it resembles:
786
# filter f_postgres { not(
787
# (host("syslogdb") and facility(cron) and level(info))
788
# or (facility(user) and level(notice)
789
# and ( match(" gethostbyaddr: ")
790
# or match("last message repeated ")
793
# or ( facility(local3) and level(notice)
794
# and match(" SYSMON NORMAL "))
795
# or ( facility(mail) and level(warning)
796
# and match(" writable directory")
798
# or ( ( host("dbserv1.somecompany.com")
799
# or host("dbserv2.somecompany.com")
801
# and facility(auth) and level(info)
802
# and match("su oracle") and match(" succeeded for root on /dev/")
806
# While in this form, it does not induce a tremendous amount of
807
# insight on what the specific filter is attempting to accomplish. In
808
# reformatting the filter to resemble something a bit more human
809
# readable, it would look like:
811
# filter f_postgres { not
814
# host("syslogdb") and
822
# match(" gethostbyaddr: ") or
823
# match("last message repeated ")
827
# facility(local3) and
829
# match(" SYSMON NORMAL ")
834
# match(" writable directory")
838
# host("dbserv1.somecompany.com") or
839
# host("dbserv2.somecompany.com")
843
# match("su oracle") and
844
# match(" succeeded for root on /dev/")
849
# Now in this form we can now begin to see what this filter has been
850
# attempting to accomplish. We can now further breakdown each logical
851
# section and explain the different methods:
853
# [1] As in all statements in syslog-ng, each of the beginnings and
854
# endings must be with a curly bracket "{" "}" to clearly denote
855
# the start and finish.
857
# In this filter, the entire filter is preferred by a "not" to
858
# indicate that these are the messages that we are NOT interested
859
# in and should be the ones filtered out. All lines of logs that
860
# do not match these lines will be sent to the destination.
864
# [2] The first major part of the filter is actually a compound
865
# filter that has two parts. Because the two parts are separated
866
# by an "or", only one of the two parts must be matched for that
867
# line of log to be filtered.
869
# [2a] In the first part of this filter there are three requirements
870
# to be met for the filter to take affect. These are the host
871
# string "syslogdb". the facility "cron", and the syslog level
876
# host("syslogdb") and
881
# [2b] In the second part of the filter, which in itself is a
882
# compound filter, there are three requirements as well. These
883
# are that the facility of "user", and the log level of "notice"
884
# are met in addition to one of the two string matches that are
885
# shown in the example.
891
# match(" gethostbyaddr: ") or
892
# match("last message repeated ")
896
# [3] In the section of the filter there are once again three
897
# requirements to fire off a match which are a facility of "level3"
898
# a log level of "notice" and a sting match of " SYSMON NORMAL ".
901
# facility(local3) and
903
# match(" SYSMON NORMAL ")
906
# [4] This part of the filter is very similar to the previous
907
# filter, but with different search patterns.
912
# match(" writable directory")
915
# [5] The last section of the filter is also a compound filter
916
# that to take affect will require that one of two hosts
917
# are matched, the facility of "auth", and log level of
918
# "info" occur in addition to the two string matches.
922
# host("dbserv1.somecompany.com") or
923
# host("dbserv2.somecompany.com")
927
# match("su oracle") and
928
# match(" succeeded for root on /dev/")
931
# [6] As in all command sets in syslog-ng, each of the statements
932
# must be properly closed with the correct ending punctuation
933
# AND a semi-colon. Do not forget both, or you will be faced with
938
# While this may not be the most complete example, it does cover the
939
# majority of the options and features that are available within the
940
# current version of syslog-ng.
941
#----------------------------------------------------------------------
943
#----------------------------------------------------------------------
944
# Standard filters for the standard destinations.
945
#----------------------------------------------------------------------
946
filter f_auth { facility(auth, authpriv); };
947
filter f_authpriv { facility(authpriv); };
948
filter f_cron { facility(cron); };
949
filter f_daemon { facility(daemon); };
950
filter f_kern { facility(kern); };
951
filter f_local1 { facility(local1); };
952
filter f_local2 { facility(local2); };
953
filter f_local3 { facility(local3); };
954
filter f_local4 { facility(local4); };
955
filter f_local5 { facility(local5); };
956
filter f_local6 { facility(local6); };
957
filter f_local7 { facility(local7); };
958
filter f_lpr { facility(lpr); };
959
filter f_mail { facility(mail); };
960
filter f_messages { facility(daemon, kern, user); };
961
filter f_news { facility(news); };
962
filter f_spooler { facility(uucp,news) and level(crit); };
963
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
964
filter f_user { facility(user); };
966
#----------------------------------------------------------------------
967
# Other catch-all filters
968
#----------------------------------------------------------------------
969
filter f_crit { level(crit); };
970
#filter f_debug { not facility(auth, authpriv, news, mail); };
971
filter f_debug { level(debug); };
972
filter f_emergency { level(emerg); };
973
filter f_err { level(err); };
974
filter f_info { level(info); };
975
filter f_notice { level(notice); };
976
filter f_warn { level(warn); };
978
#----------------------------------------------------------------------
979
# Filer for the MySQL database pipe. These are things that we really
980
# do not care to see otherwise they may fill up our database with
982
#----------------------------------------------------------------------
983
#filter f_db { not facility(kern) and level(info, warning) or
984
# not facility(user) and level(notice) or
985
# not facility(local2) and level(debug); };
987
#filter f_db { not match("last message repeated ") or
988
# not match("emulate rawmode for keycode"); };
990
#filter f_discard { facility(kern) and level(info, warning) or
991
# facility(user) and level(notice) or
992
# facility(local2) and level(debug); };
994
#filter f_discard { match("last message repeated ") or
995
# match("emulate rawmode for keycode"); };
997
#----------------------------------------------------------------------
999
#----------------------------------------------------------------------
1001
# Notes: When applying filters, remember that each subsequent filter
1002
# acts as a filter on the previous data flow. This means that
1003
# if the first filter limits the flow to only data from the
1004
# auth system, a subsequent filter for authpriv will cause
1005
# no data to be written. An example of this would be:
1007
# log { source(s_dgram);
1008
# source(s_internal);
1011
# source(s_udp); filter(f_auth);
1012
# filter(f_authpriv); destination(authlog); };
1014
# So, one can cancel out the other.
1016
# There are also certain flags that can be attached to each of the log
1020
# -------- ----------------------------------------------------------
1021
# catchall This flag means that the source of the message is ignored,
1022
# only the filters are taken into account when matching
1024
# fallback This flag makes a log statement 'fallback'. Being a
1025
# fallback statement means that only messages not matching
1026
# any 'non-fallback' log statements will be dispatched.
1027
# final This flag means that the processing of log statements ends
1028
# here. Note that this doesn't necessarily mean that
1029
# matching messages will be stored once, as they can be
1030
# matching log statements processed prior the current one.
1031
#----------------------------------------------------------------------
1033
#----------------------------------------------------------------------
1035
#----------------------------------------------------------------------
1036
log { source(s_dgram);
1038
source(s_tcp); filter(f_auth); destination(authlog); };
1039
log { source(s_dgram);
1041
source(s_tcp); filter(f_local7); destination(bootlog); };
1042
#log{ source(s_dgram);
1043
# source(s_internal);
1046
# source(s_udp); filter(f_debug); destination(debug); };
1047
log { source(s_dgram);
1049
source(s_tcp); filter(f_local1); destination(explan); };
1050
log { source(s_dgram);
1052
source(s_tcp); filter(f_local5); destination(routers); };
1053
log { source(s_dgram);
1055
source(s_tcp); filter(f_messages); destination(messages); };
1056
log { source(s_dgram);
1058
source(s_tcp); filter(f_authpriv); destination(secure); };
1059
log { source(s_dgram);
1061
source(s_tcp); filter(f_spooler); destination(spooler); };
1062
log { source(s_dgram);
1065
source(s_tcp); filter(f_syslog); destination(syslog); };
1066
#log { source(s_dgram);
1067
# source(s_internal);
1070
# source(s_udp); destination(syslog); };
1071
log { source(s_dgram);
1073
source(s_tcp); filter(f_user); destination(user); };
1075
#----------------------------------------------------------------------
1076
# Special catch all destination sorting by host
1077
#----------------------------------------------------------------------
1078
log { source(s_dgram);
1081
source(s_tcp); destination(hosts); };
1083
#----------------------------------------------------------------------
1085
#----------------------------------------------------------------------
1086
#log { source(s_dgram);
1087
# source(s_internal);
1089
# source(s_tcp); destination(loghost); };
1091
#----------------------------------------------------------------------
1092
# Mail subsystem logging
1093
#----------------------------------------------------------------------
1094
#log { source(s_dgram);
1095
# source(s_internal);
1098
# source(s_udp); filter(f_mail); destination(mail); };
1099
log { source(s_dgram);
1101
source(s_tcp); filter(f_mail);
1102
filter(f_err); destination(mailerr); };
1103
log { source(s_dgram);
1105
source(s_tcp); filter(f_mail);
1106
filter(f_info); destination(mailinfo); };
1107
log { source(s_dgram);
1109
source(s_tcp); filter(f_mail);
1110
filter(f_notice); destination(mailinfo); };
1111
log { source(s_dgram);
1113
source(s_tcp); filter(f_mail);
1114
filter(f_warn); destination(mailwarn); };
1116
#----------------------------------------------------------------------
1117
# INN subsystem logging
1118
#----------------------------------------------------------------------
1119
log { source(s_dgram);
1121
source(s_tcp); filter(f_news);
1122
filter(f_crit); destination(newscrit); };
1123
log { source(s_dgram);
1125
source(s_tcp); filter(f_news);
1126
filter(f_err); destination(newserr); };
1127
log { source(s_dgram);
1129
source(s_tcp); filter(f_news);
1130
filter(f_notice); destination(newsnotice); };
1131
log { source(s_dgram);
1133
source(s_tcp); filter(f_news);
1134
filter(f_warn); destination(newswarn); };
1136
#----------------------------------------------------------------------
1137
# Cron subsystem logging
1138
#----------------------------------------------------------------------
1139
#log { source(s_dgram);
1140
# source(s_internal);
1142
# source(s_udp); filter(f_cron); destination(crondebug); };
1143
log { source(s_dgram);
1145
source(s_tcp); filter(f_cron);
1146
filter(f_err); destination(cronerr); };
1147
log { source(s_dgram);
1149
source(s_tcp); filter(f_cron);
1150
filter(f_info); destination(croninfo); };
1151
log { source(s_dgram);
1153
source(s_tcp); filter(f_cron);
1154
filter(f_warn); destination(cronwarn); };
1156
#----------------------------------------------------------------------
1157
# LPR subsystem logging
1158
#----------------------------------------------------------------------
1159
#log { source(s_dgram);
1160
# source(s_internal);
1162
# source(s_udp); filter(f_lpr); destination(lpr); };
1163
log { source(s_dgram);
1165
source(s_tcp); filter(f_lpr);
1166
filter(f_err); destination(lprerr); };
1167
log { source(s_dgram);
1169
source(s_tcp); filter(f_lpr);
1170
filter(f_info); destination(lprinfo); };
1171
log { source(s_dgram);
1173
source(s_tcp); filter(f_lpr);
1174
filter(f_warn); destination(lprwarn); };
1176
#----------------------------------------------------------------------
1177
# Kernel subsystem logging
1178
#----------------------------------------------------------------------
1179
#log { source(s_dgram);
1180
# source(s_internal);
1183
# source(s_udp); filter(f_kern); destination(kern); };
1184
log { source(s_dgram);
1187
source(s_tcp); filter(f_kern);
1188
filter(f_err); destination(kernerr); };
1189
log { source(s_dgram);
1192
source(s_tcp); filter(f_kern);
1193
filter(f_info); destination(kerninfo); };
1194
log { source(s_dgram);
1197
source(s_tcp); filter(f_kern);
1198
filter(f_warn); destination(kernwarn); };
1200
#----------------------------------------------------------------------
1201
# Daemon subsystem logging
1202
#----------------------------------------------------------------------
1203
#log { source(s_dgram);
1204
# source(s_internal);
1206
# source(s_udp); filter(f_daemon); destination(daemon); };
1207
log { source(s_dgram);
1209
source(s_tcp); filter(f_daemon);
1210
filter(f_err); destination(daemonerr); };
1211
log { source(s_dgram);
1213
source(s_tcp); filter(f_daemon);
1214
filter(f_info); destination(daemoninfo); };
1215
log { source(s_dgram);
1217
source(s_tcp); filter(f_daemon);
1218
filter(f_warn); destination(daemonwarn); };
1220
#----------------------------------------------------------------------
1222
#----------------------------------------------------------------------
1223
# 16-Mar-03 - REP - Removed logging to the console for performance
1224
# reasons. Since we are not really going to be
1225
# looking at the console all the time, why log there
1227
#----------------------------------------------------------------------
1228
#log { source(s_dgram);
1229
# source(s_internal);
1231
# source(s_tcp); filter(f_syslog); destination(console); };
1233
#----------------------------------------------------------------------
1234
# Logging to a database
1235
#----------------------------------------------------------------------
1236
#log { source(s_dgram);
1237
# source(s_internal);
1239
# source(s_tcp); filter(f_db); destination(database); };
1240
#log { source(s_dgram);
1241
# source(s_internal);
1243
# source(s_tcp); filter(f_discard); destination(db_discard); };