Tools Index

1. Syslog-ng

Syslog-ng offers more than sysklogd, for example, we can log messages to different files based on pattern. It is possible to have both syslog-ng and sysklog, I will only configure syslog-ng and remove sysklog.

A simple way to "watch" log files is to use tail, with exception of faillog, see man faillog for more information.

        $ cd /var/log
        $ sudo tail -f messages kernel cron auth
        

1.1. Install syslog-ng

        $ prt-get depinst syslog-ng
        

1.4. Syslog-ng configuration

Example of /etc/syslog-ng.conf that configures syslog-ng matching tools already installed in the system and some that are part of tools.

Change /etc/rc.conf, replace sysklog with syslog-ng;

        #
        # /etc/rc.conf: system configuration
        #

        FONT=default
        KEYMAP=dvorak
        TIMEZONE="Europe/Lisbon"
        HOSTNAME=box
        SYSLOG=syslog-ng
        SERVICES=(lo net crond)

        # End of file
        

Edit /etc/syslog-ng.conf with your logging preferences;

        @version: 3.25
        @include "scl.conf"

        # Syslog-ng configuration file, compatible with default Debian syslogd
        # installation.

        # First, set some global options.
        options { chain_hostnames(off); flush_lines(0); use_dns(no); use_fqdn(no);
                  owner("root"); group("adm"); perm(0640); stats_freq(0);
                  bad_hostname("^gconfd$");
        };

        ########################
        # Sources
        ########################
        # This is the default behavior of sysklogd package
        # Logs may come from unix stream, but not from another machine.
        #
        source s_src {
               system();
               internal();
        };

        # If you wish to get logs from remote machine you should uncomment
        # this and comment the above source line.
        #
        #source s_net { tcp(ip(127.0.0.1) port(1000)); };

        ########################
        # Destinations
        ########################
        # First some standard logfile
        #
        destination d_auth { file("/var/log/auth"); };
        destination d_sudo { file("/var/log/sudo" ); };
        destination d_cron { file("/var/log/cron"); };
        destination d_daemon { file("/var/log/daemon"); };
        destination d_kern { file("/var/log/kernel"); };
        destination d_lpr { file("/var/log/lpr"); };
        destination d_mail { file("/var/log/mail"); };
        destination d_syslog { file("/var/log/syslog-ng"); };
        destination d_user { file("/var/log/user"); };
        destination d_uucp { file("/var/log/uucp"); };

        # This files are the log come from the mail subsystem.
        #
        destination d_mailinfo { file("/var/log/mail.info"); };
        destination d_mailwarn { file("/var/log/mail.warn"); };
        destination d_mailerr { file("/var/log/mail.err"); };

        # Logging for INN news system
        #
        destination d_newscrit { file("/var/log/news/news.crit"); };
        destination d_newserr { file("/var/log/news/news.err"); };
        destination d_newsnotice { file("/var/log/news/news.notice"); };

        # Some 'catch-all' logfiles.
        #
        destination d_debug { file("/var/log/debug"); };
        destination d_error { file("/var/log/error"); };
        destination d_messages { file("/var/log/messages"); };

        # Custom destinations
        destination d_shorewall_warn { file ("/var/log/shorewall/warn"); };
        destination d_shorewall_info { file ("/var/log/shorewall/info"); };
        destination d_dnsmasq	{ file("/var/log/dnsmasq"); };
        destination d_postgres  { file("/var/log/pgsql"); };
        destination d_mysql  { file("/var/log/pgsql"); };
        destination d_iptables  { file("/var/log/iptables"); };
        destination d_sshd      { file("/var/log/sshd"); };
        destination d_gitolite  { file("/var/log/gitolite"); };
        destination d_git-daemon  { file("/var/log/git-daemon"); };
        destination d_nginx_access { file("/var/log/nginx_access"); };
        destination d_nginx_error  { file("/var/log/nginx_error"); };
        destination d_php_fpm { file("/var/log/php-fpm"); };
        destination d_php { file("/var/log/php"); };
        destination d_nginx_vhost { file("/var/log/nginx/vhost_access"); };
        destination d_nginx_vhost_err { file("/var/log/nginx/vhost_error"); };

        # The root's console.
        #
        destination d_console { usertty("root"); };

        # Virtual console.
        #
        #destination d_console_all { file(`tty10`); };
        destination console { usertty("root"); };
        destination d_console_all { file("/dev/tty12" suppress(5)); };
        destination xconsole { pipe("/dev/xconsole" suppress(5)); };



        # The named pipe /dev/xconsole is for the nsole' utility.  To use it,
        # you must invoke nsole' with the -file' option:
        #
        #    $ xconsole -file /dev/xconsole [...]
        #
        destination d_xconsole { pipe("/dev/xconsole"); };

        # Send the messages to an other host
        #
        #destination d_net { tcp("127.0.0.1" port(1000) log_fifo_size(1000)); };

        # Debian only
        destination d_ppp { file("/var/log/ppp"); };

        ########################
        # Filters
        ########################
        # Here's come the filter options. With this rules, we can set which 
        # message go where.

        filter f_dbg { level(debug); };
        filter f_info { level(info); };
        filter f_notice { level(notice); };
        filter f_warn { level(warn); };
        filter f_err { level(err); };
        filter f_crit { level(crit .. emerg); };

        filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };
        filter f_error { level(err .. emerg) ; };
        filter f_messages { level(info,notice,warn)
                            and not facility(auth,authpriv,cron,daemon,mail,news,local0); };

        filter f_auth { facility(auth, authpriv) and not filter(f_debug); };
        filter f_sudo { facility(auth, authpriv) and program("^sudo$"); };
        filter f_cron { facility(cron) and not filter(f_debug);};
        filter f_daemon { facility(daemon, local0)
                and not filter(f_debug)
                and not program("^php$")
                and not program("^nginx_vhost$")
                and not program("^nginx_vhost_err$");};
        filter f_kern { facility(kern) and not filter(f_debug); };
        filter f_lpr { facility(lpr) and not filter(f_debug); };
        filter f_local { facility(local0, local1, local3, local4, local5,
                                local6, local7) and not filter(f_debug); };
        filter f_mail { facility(mail) and not filter(f_debug); };
        filter f_news { facility(news) and not filter(f_debug); };
        filter f_syslog3 { program("^syslog-ng$");};
        filter f_user { facility(user) and not filter(f_debug); };
        filter f_uucp { facility(uucp) and not filter(f_debug); };

        filter f_cnews { level(notice, err, crit) and facility(news); };
        filter f_cother { level(debug, info, notice, warn) or facility(daemon, mail); };

        filter f_ppp { facility(local2) and not filter(f_debug); };
        filter f_console { level(warn .. emerg); };

        # custom filters

        filter f_dnsmasq { program("^dnsmasq$"); };
        filter f_postgres { facility(local0) and program("^postgresql$"); };
        filter f_sshd { facility(auth) and program("^sshd$"); };

        filter f_iptables { facility(kern) and match("iptables" value("MESSAGE")) };
        filter f_shorewall_warn { level (warn) and match ("Shorewall" value("MESSAGE")); };
        filter f_shorewall_info {level (info) and match ("Shorewall" value("MESSAGE")); };
        filter f_gitolite { program("^gitolite$"); };
        filter f_git-daemon { program("^git-daemon$"); };
        filter f_nginx_error { facility(daemon) and program("^nginx$"); };
        filter f_nginx_vhost { facility(daemon) and program("^nginx_vhost$");};
        filter f_nginx_vhost_err { facility(daemon) and program("^nginx_vhost_err$");};
        filter f_php_fpm { facility(daemon) and program("^php-fpm$");};
        filter f_php { facility(daemon) and program("^php$");};

        # custom logs
        log { source(s_src); filter(f_php_fpm); destination(d_php_fpm); };
        log { source(s_src); filter(f_php); destination(d_php); };
        log { source(s_src); filter(f_nginx_vhost); destination(d_nginx_vhost); };
        log { source(s_src); filter(f_nginx_vhost_err); destination(d_nginx_vhost_err); };
        log { source(s_src); filter(f_sshd); destination(d_sshd);};
        log { source (s_src); filter (f_iptables); destination (d_iptables);};
        log { source (s_src); filter (f_shorewall_warn); destination (d_shorewall_warn);};
        log { source (s_src); filter (f_shorewall_info); destination (d_shorewall_info);};
        log { source(s_src); filter(f_dnsmasq); destination(d_dnsmasq);};
        log { source(s_src); filter(f_postgres); destination(d_postgres);};
        log { source(s_src); filter(f_gitolite); destination(d_gitolite);};
        log { source(s_src); filter(f_git-daemon); destination(d_git-daemon);};
        log { source(s_src); filter(f_nginx_error); destination(d_nginx_error);};

        ########################
        # Log paths
        ########################
        log { source(s_src); filter(f_auth); destination(d_auth); };
        log { source(s_src); filter(f_sudo); destination(d_sudo); };
        log { source(s_src); filter(f_cron); destination(d_cron); };
        log { source(s_src); filter(f_daemon); destination(d_daemon); };
        log { source(s_src); filter(f_kern); destination(d_kern); };
        log { source(s_src); filter(f_lpr); destination(d_lpr); };
        log { source(s_src); filter(f_user); destination(d_user); };
        log { source(s_src); filter(f_uucp); destination(d_uucp); };

        log { source(s_src); filter(f_mail); destination(d_mail); };
        log { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
        log { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
        log { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };

        log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); };
        log { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
        log { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
        #log { source(s_src); filter(f_cnews); destination(d_console_all); };
        #log { source(s_src); filter(f_cother); destination(d_console_all); };

        #log { source(s_src); filter(f_ppp); destination(d_ppp); };

        log { source(s_src); filter(f_debug); destination(d_debug); };
        log { source(s_src); filter(f_error); destination(d_error); };
        log { source(s_src); filter(f_messages); destination(d_messages); };
        log { source(s_src); filter(f_syslog3); destination(d_syslog); };
        log { source(s_src); filter(f_console); destination(d_console_all);
                                            destination(d_xconsole); };
        log { source(s_src); filter(f_crit); destination(d_console); };

        #
        # 
        # All messages send to a remote site
        #
        #log { source(s_src); destination(d_net); };

        ###
        # Include all config files in /etc/syslog-ng/conf.d/
        ###
        @include "/etc/syslog-ng/conf.d/*.conf"
        

Restart daemon;

        $ sudo sh /etc/rc.d/syslog-ng start
        $ sudo sh /etc/rc.d/sysklogd stop
        

Description off global options used;

chain-hostnames()
Accepted values: yes | no
Default: no
Description: Enable or disable the chained hostname format. If the log message is forwarded to the log server via a relay, and the chain-hostnames() option is enabled, the relay adds its own hostname to the hostname of the client, separated with a / character.
create-dirs()
Accepted values: yes | no
Default: no
Description: Enable or disable directory creation for destination files.
use-dns()
Type: yes, no, persist_only
Default: yes
Description: Enable or disable DNS usage. The persist_only option attempts to resolve hostnames locally from file (for example from /etc/hosts). The syslog-ng OSE application blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack.
stats_freq()
Accepted values: number
Default: 600
Description: The period between two STATS messages in seconds. STATS are log messages sent by syslog-ng, containing statistics about dropped log messages. Set to 0 to disable the STATS messages.
perm()
Accepted values: permission value
Default: 0600
Description: The default permission for output files. By default, syslog-ng changes the privileges of accessed files (for example /dev/null) to root.root 0600. To disable modifying privileges, use this option with the -1 value.
log-fifo-size()
Accepted values: number
Default: 10000
Description: The number of messages that the output queue can store.
log-msg-size()
Accepted values: number
Default: 8192
Description: Maximum length of a message in bytes. This length includes the entire message (the data structure and individual fields). The maximal value that can be set is 268435456 bytes (256MB). For messages using the IETF-syslog message format (RFC5424), the maximal size of the value of an SDATA field is 64kB.
flush-lines()
Type: number
Default: Use global setting.
Description: Specifies how many lines are flushed to a destination at a time. The syslog-ng OSE application waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency.
Tools Index

This is part of the Tribu System Documentation. Copyright (C) 2020 Tribu Team. See the file Gnu Free Documentation License for copying conditions.