Wednesday, June 25, 2008

An Enhanced and More Powerful Syslog App - syslog-ng

We recently purchased a new network application/appliance.

As part of my normal practice, I wanted to configure the
appliance to duplicate its logs to our centralized syslog server.
With standard syslogd, you add one line to your configuration
file (syslog.conf) and restart the daemon.

But this appliance uses syslog-ng, an enhanced and more
powerful syslog application.

The syslog-ng configuration file (syslog-ng.conf) includes
four main components: source, filter, destination, and log.

1. source (required) - This tells syslog-ng the source of
the log data. This could be a network port, streams,
a file (/proc/kmsg).

2. filter (optional) - If you want to throw all your log
data into one file, you don't need a filter.

3. destination (required) - Syslog-ng needs to know what
to do with the data it reads from "source". Destination
can be a file, a remote server IP, a pipe, usertty, etc.

4. log (required) - This is the line that makes it all
happen by bringing the above items together.

This line basically says:
"look at all the logs coming from $source, pull
this $filter and save it in $destination."

NOTE: You can include multiple source, filter and
destination on this line.

For example:
I want to configure syslog-ng to send all logs to a
local file and to my Centralized Log Server (IP 1.2.3.4)

-----------------
# Solaris Configuration:

# SOURCE
# This source entry allows locally generated logs to be captured

source local { sun-streams("/dev/log" door("/etc/.syslog_door")); internal(); };

# FILTER (optional)
# I'm not defining any filter since I want everything.

# DESTINATION
# I want to send the logs via standard syslog udp port to IP# 1.2.3.4)
# and to a file locally, /var/log/everything.log.

destination logserver { udp("1.2.3.4"); };
destination localfile { file("/var/log/everything.log"); };

# LOG

log { source(local); destination(logserver); destination(localfile); };

---------------

After you edit your configuration file, you can verify the syntax using this command:

$ syslog-ng -s

If you don't have any errors, restart your syslog-ng daemon.
You should now be logging everything to the file /var/log/everything.log as well as to the remote log server.

Post provided by Mary M. Chaddock

No comments: