Centralized logging with syslog-ng

jantman · 03-28-2007, 02:04 PM

I have about eight boxes running. Most of them are SuSE - two 9.3 and five 10.2. There's also one IPcop box thrown in, and Solaris, Ubuntu, and FreeBSD on the way.

I'm really happy with the SuSE default syslog-ng configuration, how it accurately separates all of the logs into files based on source or level (mail, warn, acpi, etc.).

However, I want to setup a centralized logging server. All of the documentation I can find on doing this with syslog-ng tells about creating one file per server per day, like /var/log/$HOST/$HOST-$YEAR-$MONTH-$DAY.log.

Is there any simple way to preserve the SuSE default files (mail, messages, warn, etc.) but just put them in a host-specific directory, i.e. on the centralized server I'd have:
/var/log/HOST1/{messages, mail, warn, etc.}
/var/log/HOST2/{messages, mail, warn, etc.}
/var/log/HOST3/{messages, mail, warn, etc.}
etc.
and also local in the default way, like
/var/log/{messages, mail, warn, etc.}

auxsvr · 03-30-2007, 07:25 AM

You could add a source and a destination for each machine that sends its syslog, and set the filters accordingly in /etc/syslog-ng/syslog-ng.conf of the logging server, like this:

Code:

source HOST1 {udp(ip("HOST_1_IP_ADDRESS") port(514)};
destination HOST1_MESSAGES {file("/var/log/HOST1/messages");};
log{ source(HOST1); filter(f_messages); destination(HOST1_MESSAGES);};

; doing this for many machines is cumbersome, so you may need to use some bash scripting.

jantman · 03-30-2007, 08:57 PM

thanks. I'll try it sometime this weekend...