Syslog-ng: how to log severity/facility?
Solution 1
It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)
Solution 2
Based on some quick reading I think you want to use the syslog() driver, which si described in section 8.1.6 of the Syslog-ng Administrator's guide. http://www.balabit.com/support/documentation/?product=syslog-ng
I hope this helps, if I find anything more, I'll let you know.
I think the syslog() driver is meant to be used with the source declaration. so where I have
source external { udp(); };
You might use
source external { syslog(transport("udp")); };
I don't have a suitable testing environment to try this out on, but I think this is what you want to do, if I understand your question correctly.
I went back and looked and it turns out there's a macro you can use in your destination called TAG.
e.g.
destination d_all { file("/log/$FACILITY.log" group("users")
template_escape(no)
template("$TAG $PRIORITY $S_DATE $HOST $MSG\n")); };
These macros are defined around page 218 of the admin guide.
Solution 3
If you have a destination configured as so:
destination syslog-consumer { unix-stream("/var/run/syslog-output"); };
syslog messages headed to syslog-consumer get sent to that socket in the format you want.
You'll just need to setup something to listen to that socket and write to a file.
Related videos on Youtube
11 : 21
08 : 03
12 : 50
14 : 04
02 : 38
user31462
Updated on September 17, 2022Comments
-
user31462 almost 2 years
Here is the system:
- SUSE Linux Enterprise Server 10
- syslog-ng with predefined syslog-ng.conf
- messages in /var/log/messages look like:
Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2
What I need:
- to log event severity/facility. For instance, add <PRI> at the beginning of the message:
<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2
My question is:
How to change syslog-ng.conf to enable this kind of logging?
Thanks.
-
user31462 over 14 yearsTruth be told, I failed to find any real-life example of changes you need to make for this stuff.
-
user31462 over 14 yearsIs there some other way without listening to the socket? I wonder why can't I add something to this declaration ... destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; ... to add <PRI> field in /var/log/messages...
-
user31462 over 14 yearsActually, I don't have source external { udp(); }; in my config. What I have is slightly different: source src { internal(); unix-dgram("/dev/log"); };
-
Steve Townsend over 14 yearsI posted this particular method since my log consumer just listened to the socket without any intermediate files. Thought it might fit your need :)