-   SUSE / openSUSE (
-   -   Centralized logging with syslog-ng (

jantman 03-28-2007 03:04 PM

Centralized logging with syslog-ng
I have about eight boxes running. Most of them are SuSE - two 9.3 and five 10.2. There's also one IPcop box thrown in, and Solaris, Ubuntu, and FreeBSD on the way.

I'm really happy with the SuSE default syslog-ng configuration, how it accurately separates all of the logs into files based on source or level (mail, warn, acpi, etc.).

However, I want to setup a centralized logging server. All of the documentation I can find on doing this with syslog-ng tells about creating one file per server per day, like /var/log/$HOST/$HOST-$YEAR-$MONTH-$DAY.log.

Is there any simple way to preserve the SuSE default files (mail, messages, warn, etc.) but just put them in a host-specific directory, i.e. on the centralized server I'd have:
/var/log/HOST1/{messages, mail, warn, etc.}
/var/log/HOST2/{messages, mail, warn, etc.}
/var/log/HOST3/{messages, mail, warn, etc.}
and also local in the default way, like
/var/log/{messages, mail, warn, etc.}

auxsvr 03-30-2007 08:25 AM

You could add a source and a destination for each machine that sends its syslog, and set the filters accordingly in /etc/syslog-ng/syslog-ng.conf of the logging server, like this:

source HOST1 {udp(ip("HOST_1_IP_ADDRESS") port(514)};
destination HOST1_MESSAGES {file("/var/log/HOST1/messages");};
log{ source(HOST1); filter(f_messages); destination(HOST1_MESSAGES);};

; doing this for many machines is cumbersome, so you may need to use some bash scripting.

jantman 03-30-2007 09:57 PM

thanks. I'll try it sometime this weekend...

All times are GMT -5. The time now is 05:36 PM.