Sample configuration for linux syslog-ng
# syslog-ng.conf
#
# 1002.10 David Mackintosh
#
# Generic Format: log ($SOURCE, [$FILTER, [$FILTER, [...]] $DESTINATION# Note that you have to define your sources, filters, and destinations
# before you can use them.# Program Options:options {
# use_fqdn(yes);
# use_dns(yes);
# dns_cache(yes);
keep_hostname(yes);
long_hostnames(off);
sync(0);
log_fifo_size(1024);
};# Sources:
source all_src {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
udp(ip(0.0.0.0) port(514));
};
# Filters:
# Severities: I like filters set up this way as they simulate the effects of
# traditional syslog.conf format.
#
filter f_notice { level(notice ... emerg);};
filter f_info { level(info ... emerg);};
filter f_debug { level(debug ... emerg);};# If mail is going to a specific place, I like to keep it out of other places.filter f_not_mail { not facility(mail); };
filter f_mail { facility(mail); };# Destinations:
# The leading "\n" character in the template is to work-around
# a bug with netscreen syslogging.destination messages { file("/var/log/messages" template("\n$ISODATE $HOST $MSG"));};
# destination syslog { file("/var/log/syslog");};
destination maillog { file("/var/log/maillog" template("\n$ISODATE $HOST $MSG"));};# Magic per-host destinations:
# Magic per-host destination (good for central syslog hosts).
# Note that $HOST is the name of the system sending the update, NOT the
# originating system (ie in a scenario where one log concentrator sends
# logs on to another concentrator: if Host A sends to Host B, and host B
# sends on to host C, which has this type of destination, then $HOST is
# going to be B, even though the message originated on A.)destination debug-per-host { file("/var/log/HOSTS/$HOST/debug.$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) template("\n$ISODATE $HOST $MSG") create_dirs(yes)); };
# Glue it all together:log { source(all_src); filter(f_not_mail); filter(f_info); destination(messages); };
log { source(all_src); filter(f_mail); filter(f_info); destination(maillog); };
log { source(all_src); filter(f_debug); destination(debug-per-host); };
Housekeeping
In cron:
# Compress and prune per-system syslogs
15 3 * * * for i in `find /var/log/HOSTS -type f -mtime +7 | sort | grep -v '.gz'` ; do gzip -9 $i ; done
10 3 * * * for i in `find /var/log/HOSTS -type f -mtime +28 | sort | grep '.gz'` ; do rm -f $i ; done
Getting
Syslog-ng for RHEL-5 is available through the EPEL. (See Linux/RedHat/Enterprise/5/Other Yum Repositories For RHEL-5 Family notes.)