Talk:Syslog-ng

From Gentoo Linux Wiki

Jump to: navigation, search

Well this article is fairly unhelpful, someone with experience on configuring syslog-ng want to add to it?

[edit] Makes for a decent starting point

This is a pretty good starting point for a syslog-ng config file, might be a little complex.

Except for one thing; they've left out the stats(43200); in the options line. That stats value is recommended by the default Gentoo syslog-ng install as a way of cutting down on the syslog-ng chatter in the log file. Instead of syslog-ng emitting a "STATS: dropped 0" line every 10 minutes (the default), it will only emit that log entry every 12 hours when the value is set to 43200.

[edit] pipe vs file

I don't see why using pipe("/proc/kmsg") instead of using file("/proc/kmsg") provide better performance. It's not a security-vs-performance trade-off. file is the way to go, pipe is not. As I see this is clearly stated in the manual and as I see the default configuration for gentoo should be fixed.

BTW: I'm the author of syslog-ng.

Mimosinnet 19:54, 10 July 2007 (UTC) Thanks very much for your comment. This has been suggested in this post. I have modified the HOWTO. Could you please give some comments on why file is the way to go? Cheers!


[edit] Bad configuration file

As i see it the example syslog-ng.conf file produces a very unsatisfying result, as some entries are logged redundantly (double). Also some filters are not used at all. I think the command flags(final); should be added fore some log rules.

File: /etc/syslog-ng/syslog-ng.conf 
# /etc/syslog-ng/syslog-ng.conf

options { 
	chain_hostnames(off); 
	sync(0); 
	create_dirs (yes);
	# The default action of syslog-ng 1.6.0 is to log a STATS line
	# to the file every 10 minutes.  That's pretty ugly after a while.
	# Change it to every 12 hours so you get a nice daily update of
	# how many messages syslog-ng missed (0).
	stats(43200); };

# src gets messages from /dev/log socket and syslog-ng
source src {
    unix-stream("/dev/log" max-connections(256));
    internal(); };
# kernsrc gets messages from file /proc/kmsg
source kernsrc {
    file("/proc/kmsg"); };

#define destinations
# ...if you intend to use /dev/console for programs like xconsole
#destination console_all { file("/dev/console"); };

destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination user { file("/var/log/user.log"); };
destination error { file("/var/log/error.log"); };

# Should be maillog (Without dot) as it was the default on logwatch
destination mail { file("/var/log/maillog"); };

destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };

destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };

destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };

#create filters
filter f_auth { facility(auth, authpriv); };

filter f_syslog { not facility(auth, authpriv, mail, news)
	and not level(info..warn..err); };
filter f_messages { level(info..warn) 
	and not facility(auth, authpriv, mail, news); };

filter f_cron { facility(cron); };
filter f_kern { facility(kern); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_emergency { level(emerg); };

filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
filter f_notmail { not facility(mail); };

#create logs (source .. filer .. destination )
log { source(src); filter(f_auth); destination(authlog); flags(final); };
log { source(src); filter(f_cron); destination(cron); flags(final); };
log { source(src); filter(f_err, f_notmail); destination(error); flags(final); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); flags(final);  };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); flags(final); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); flags(final); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_syslog); destination(syslog); };

log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

#default log
log { source(src); destination(console_all); };
log { source(kernsrc); filter(f_kern); destination(kern); };

I hope this provides a better idea. Also I'm very sure its not prefect, since i also only applied what is written in the HOWTO.

00:28, 29 February 2008 (UTC) Lanoxxthshaddow

Retrieved from "http://gentoo-wiki.com/Talk:Syslog-ng"
Personal tools