1. Syslog-ng

Syslog-ng offers more than sysklogd, for example, we can log messages to different files based on pattern. It is possible to have both syslog-ng and sysklog, I will only configure syslog-ng and remove sysklog.

A simple way to "watch" log files is to use tail, with exception of faillog, see man faillog for more information.

        $ cd /var/log
        $ sudo tail -f messages kernel cron auth

1.1. Install event log

        $ mkdir eventlog
        $ vim Pkgfile
        
        # Description: replacement of the simple syslog() API
        # URL:         http://www.balabit.com/network-security/syslog-ng/opensource-logging-system
        # Maintainer:  Thomas Penteker, tek at serverop dot de
        #
        # Depends on:

        name=eventlog
        version=0.2.12
        release=1
        source=(http://ftp.uni-erlangen.de/pub/mirrors/gentoo/distfiles/${name}_${version}.tar.gz)

        build() {
        cd $name-$version

        ./configure \
        --prefix=/usr \
        --disable-nls \
        --mandir=/usr/man

        make && make DESTDIR=$PKG install
        rm -rf $PKG/usr/doc
        }
        
        $ fakeroot pkgmk -d
        $ sudo pkgadd /usr/ports/packages/eventlog#0.2.12-1.pkg.tar.gz

1.2. Install syslog-ng

        $ cd ..
        $ mkdir syslog-ng
        $ vim Pkgfile
        
        # Description: alternate syslogging daemon
        # URL:         http://www.balabit.com/network-security/syslog-ng/opensource-logging-system
        # Packager:    c9 team, silvino at bk dot ru
        # Depends on:  eventlog, glib, libwrap

        name=syslog-ng
        version=3.5.6
        release=1
        source=(http://balabit.com/downloads/files/syslog-ng/sources/$version/source/${name}_${version}.tar.gz
        syslog-ng.rc syslog-ng.conf)

        build() {
           cd $name-$version

           ./configure \
              --prefix=/usr \
              --sysconfdir=/etc \
              --libexecdir=/var/libexec \
              --localstatedir=/var \
              --mandir=/usr/man \
              --enable-dynamic-linking \
              --sbindir=/sbin \
              --enable-tcp-wraper


           make && make DESTDIR=$PKG install
           rm -rf $PKG/usr/doc
           rm -rf $PKG/usr/share/include/scl/syslogconf/README
           install -D -m 644 ../syslog-ng.conf $PKG/etc/syslog-ng.conf
           install -D -m 755 ../syslog-ng.rc $PKG/etc/rc.d/syslog-ng
        }
        
        $ sudo prt-get depinst glib
        $ pkgmk -um
        $ pkgmk -uf
        $ fakeroot pkgmk -d
        $ sudo pkgadd /usr/ports/packages/syslog-ng#3.5.6-1.pkg.tar.gz

Change /etc/rc.conf, replace sysklog with syslog-ng;

        #
        # /etc/rc.conf: system configuration
        #

        FONT=default
        KEYMAP=dvorak
        TIMEZONE="Europe/Lisbon"
        HOSTNAME=box
        SYSLOG=syslog-ng
        SERVICES=(syslog-ng lo net crond)

        # End of file

1.3. Syslog-ng RC

        $ vim syslog-ng.rc
        
        #!/bin/sh
        #
        # /etc/rc.d/syslog-ng: start/stop syslog-ng logging daemon
        #

        case $1 in
        start)
          /sbin/syslog-ng -f /etc/syslog-ng.conf -p /var/run/syslog-ng.pid
          ;;
        stop)
          killall -q /sbin/syslog-ng
          rm -f /var/run/syslog-ng.pid
          ;;
        restart)
          $0 stop
          sleep 2
          $0 start
          ;;
        *)
          echo "usage: $0 [start|stop|restart]"
          ;;
        esac

1.4. Syslog-ng configuration

Example of /etc/syslog-ng.conf that configures syslog-ng matching tools already installed in the system and some that are part of tools.

Description off global options used;

chain-hostnames()
Accepted values: yes | no
Default: no
Description: Enable or disable the chained hostname format. If the log message is forwarded to the log server via a relay, and the chain-hostnames() option is enabled, the relay adds its own hostname to the hostname of the client, separated with a / character.
create-dirs()
Accepted values: yes | no
Default: no
Description: Enable or disable directory creation for destination files.
use-dns()
Type: yes, no, persist_only
Default: yes
Description: Enable or disable DNS usage. The persist_only option attempts to resolve hostnames locally from file (for example from /etc/hosts). The syslog-ng OSE application blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack.
stats_freq()
Accepted values: number
Default: 600
Description: The period between two STATS messages in seconds. STATS are log messages sent by syslog-ng, containing statistics about dropped log messages. Set to 0 to disable the STATS messages.
perm()
Accepted values: permission value
Default: 0600
Description: The default permission for output files. By default, syslog-ng changes the privileges of accessed files (for example /dev/null) to root.root 0600. To disable modifying privileges, use this option with the -1 value.
log-fifo-size()
Accepted values: number
Default: 10000
Description: The number of messages that the output queue can store.
log-msg-size()
Accepted values: number
Default: 8192
Description: Maximum length of a message in bytes. This length includes the entire message (the data structure and individual fields). The maximal value that can be set is 268435456 bytes (256MB). For messages using the IETF-syslog message format (RFC5424), the maximal size of the value of an SDATA field is 64kB.
flush-lines()
Type: number
Default: Use global setting.
Description: Specifies how many lines are flushed to a destination at a time. The syslog-ng OSE application waits for this number of lines to accumulate and sends them off in a single batch. Increasing this number increases throughput as more messages are sent in a single batch, but also increases message latency.
        $ sudo sh /etc/rc.d/syslog-ng start
        $ sudo sh /etc/rc.d/sysklogd stop

This is part of the c9-doc Manual. Copyright (C) 2016 c9 team. See the file Gnu Free Documentation License for copying conditions.