helptonewbie |
01-21-2009 08:12 AM |
Syslog-ng, Central log server, trying to split logs out using filters
Hi All,
I've been working on this for a short while, but still not fully been able to get round the problem i'm having. Below is snipit of syslog-ng.conf file, i'm sure it contains the parts relevant to this question.
Code:
#@SuSEconfig@
#@SuSEconfig@ This is a template file used by SuSEconfig
#@SuSEconfig@ to generate the final syslog-ng.conf.
#@SuSEconfig@
#@SuSEconfig@ SuSEconfig adds additional log sockets from
#@SuSEconfig@ /etc/sysconfig/syslog to the source bellow.
#@SuSEconfig@
#
# File format description can be found in syslog-ng.conf(5)
# and /usr/share/doc/packages/syslog-ng/syslog-ng.txt.
#
options { long_hostnames(off); sync(0); perm(0640); stats(3600); };
source src {
#
# include internal syslog-ng messages
# note: the internal() soure is required!
#
internal();
#
# the following line will be replaced by the
# socket list generated by SuSEconfig using
# variables from /etc/sysconfig/syslog:
#
@SuSEconfig_SOCKETS@
#
# uncomment to process log messages from network:
#
udp(ip("0.0.0.0") port(514));
tcp(ip("IPADDRESS") port(5140) keep-alive(yes));
};
#
# Other options.
#
destination d_mysql {
pipe("/var/log/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));
};
log { source(src); destination(d_mysql);
};
# this is for separating out network hosts into individual log files.
destination std {
file ("/central_logs/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};
log {
source(src);
destination(std);
};
######Addition 21/01/09
destination hostname_rsync { file("/central_logs/HOSTS/hostname_rsync" owner(root) perm(600)); };
filter f_hostname_rsync { level(debug) and facility(daemon) and program("rsync-"); };
filter f_hostname_rsync_stop { not level(debug) and not facility(daemon) and not program("rsync-"); };
log { source(src); filter(f_hostname_rsync); destination(hostname_rsync); flags(final); };
#destination d_rsync_to_mysql {
#pipe("/var/log/rsync_to_mysql.pipe"
#template("INSERT INTO hostname_rsyncs (host, facility, priority, level, tag, datetime, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes)
#);
#};
#log { source(src); filter(f_hostname_rsync); destination(d_rsync_to_mysql); flags(final);
#};
######
OK, thing is i'm using rsync on a server and i want the output onto my central logging server and put into MySQL as well. Thats no problem, but i added the complexity that i wanted the logs specific to only the rsync to be put into another mysql table rather than where they are going at the moment as you can see, into the "logs" with all other log data. Also as a backup all log data goes into separated out files this again no problem. The issues i'm having is that i can't seem to stop log data i've caught using the filters also being duplicated into the other log files and tables. I would like anything from "source src" thats caught by my filter "f_hostname_rsync", to be put into file "/central_logs/HOSTS/hostname_rsync" and threaded also into "destination d_rsync_to_mysql". currently commented out because i'm trying to then also not allow any other log data coming from "src" to go into these files or mysql table. As i understood it, "flags(final);" is meant to stop any duplication of data but this doesn't seem to work as my rsync log data is still making it into the "logs" table.
Any help would be great.
Regards.
|