Hey guys got it figured out with the help of the mailing list used some well placed braces. ex.
destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/${FACILITY}_${HOST}_${YEAR}_${MONTH}_${DAY}.log"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
};
Now just need to sort my logs out. after runing for over 12hrs I've only ended up with 2 logs per host an authpriv and a kern, I guess I was expecting the following:
messages
syslog
debug
secure
cron
maillog
auth
for your consideration...
###############################################################
# First, set some global options.
options {
use_fqdn(yes);
use_dns(yes);
dns_cache(yes);
keep_hostname(yes);
long_hostnames(off);
sync(1);
log_fifo_size(1024);
};
###############################################################
#
# Logs may come from unix stream, and UDP:514
#
source src {
pipe("/proc/kmsg");
unix-stream("/dev/log");
# internal();
udp(ip("192.168.2.3") port(514));
tcp(ip("192.168.2.3") port(514) keep-alive(yes));
};
###############################################################
# First some standard logfile
#
#destination authlog { file("/var/log/auth.log"); };
#destination syslog { file("/var/log/syslog"); };
#destination cron { file("/var/log/cron.log"); };
#destination daemon { file("/var/log/daemon.log"); };
#destination user { file("/var/log/user.log"); };
#destination debug { file("/var/log/debug"); };
#destination messages { file("/var/log/messages"); };
##########################################
# Here's the filter options. With this rules, we can set which
# message go where.
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(auth, authpriv) and not facility(mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, daemon, mail, news); };
filter f_mail { facility(mail); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
###############################################################
#
# log statements actually send logs somewhere, to a file, across the network, etc
#
#log { source(src); filter(f_authpriv); destination(authlog); };
#log { source(src); filter(f_authpriv); destination(syslog); };
#log { source(src); filter(f_syslog); destination(syslog); };
#log { source(src); filter(f_cron); destination(cron); };
#log { source(src); filter(f_daemon); destination(daemon); };
#log { source(src); filter(f_daemon); destination(messages); };
#log { source(src); filter(f_kern); destination(messages); };
#log { source(src); filter(f_user); destination(messages); };
#log { source(src); filter(f_debug); destination(debug); };
#
# automatic host sorting (usually used on a loghost)
#
destination std {
file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/${FACILITY}_${YEAR}_${MONTH}_${DAY}.log"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};
log {
source(src);
destination(std);
};
I love the thought of this auto host system it reduces work every time a new host is added to my network but I have to wonder if it isn’t simpler at this point to hard code them, some copy and paste and replaces could resolve this quickly, at the same time I don’t wish to admit defeat lol.
Print