Simple syslog-ng file configuration confusion

[capricorn80]

Hi !

This is my simple configuration. I dont have mail.log every where in the settings but why mail.log file is created in
/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/. I also have daemon.log , cron.log and user.log
I only have /var/log/secure settings in my configuration. why I am getting these daemon , cron and user log.
-------------
/etc/init.d/syslog status
syslogd (pid  3315) is running..
klogd is stopped

----------
/etc/init.d/syslog-ng status
Checking for syslog-ng service: 3315 running

--------

@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#

options {
   create_dirs (yes);

};

######
# sources
source s_local {
# message generated by Syslog-NG
          unix-stream ("/dev/log");
          internal();

};


######
# destinations
#destination d_mesg  { file("/var/log/messages"); };
destination d_auth  { file("/var/log/secure"); };



# Level Filters
filter f_info { level(info..emerg); };
filter f_note { level(notice..emerg); };
filter f_warn { level(warn..emerg); };
filter f_errs { level(err..emerg); };
filter f_emer { level(emerg); };

#########################

# Facility Filters
filter f_auth { facility(auth, authpriv) and filter(M_auth); };
#filter f_logs { facility(syslog); };
#filter f_lastlog { facility(syslog); };

#############333


destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};
####################
log { source(s_local); filter(f_auth); filter(f_info); destination(d_auth);  };
#log { source(s_local); filter(f_logs); filter(f_note); destination(d_mesg);  };


log {
source(s_local);
destination(d_network);
};


Thanks in advance.

[Admin]

This statement:
log {
source(s_local);
destination(d_network);
};
is the reason that mail.log is being created.  There is nothing to filter mail.log out.  So, every message that comes into syslog-ng is being written out to it's respective file.

[capricorn80]

Thanks

[Admin]

Happy to help.  Have a great day.

[capricorn80]

 one problem if i remove this
log {
source(s_local);
destination(d_network);
};

I am not getting any log now .. what settings i should do to get the log in /var/log/syslog-ng/--------------------

Thanks

[capricorn80]

log { source(s_local); filter(f_auth); filter(f_info); destination(d_network);  };
log { source(s_local); filter(f_logs); filter(f_note); destination(d_network);  };

This is working but i am not its best way to do it.

[Admin]

In order to get logs into the /var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log files, you have to have the statement
log {
source(s_local);
destination(d_network);
};

However, as it is written, ALL events will be written using that log statement, meaning that every event will be written into one of the files in  /var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/  In order to limit what events get written, you'll need to add a filter statement.  If you can tell me what events you want, or don't want, I can help you write what the filter should be.

[capricorn80]

well i want to have auth log , /var/log/messages and ssh ..

[Admin]

Is the file in the first post the whole config file?  I see some missing references, like
M_auth in the line: filter f_auth { facility(auth, authpriv) and filter(M_auth); };

Can you post the current file?

[capricorn80]

@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#

options {
   create_dirs (yes);

};

######
# sources
source s_local {
# message generated by Syslog-NG
          unix-stream ("/dev/log");
          internal();

};


######
# destinations
#destination d_mesg  { file("/var/log/messages"); };
destination d_auth  { file("/var/log/secure"); };



# Level Filters
filter f_info { level(info..emerg); };
filter f_note { level(notice..emerg); };
filter f_warn { level(warn..emerg); };
filter f_errs { level(err..emerg); };
filter f_emer { level(emerg); };


#########################

# Facility Filters
filter f_auth { facility(auth, authpriv) and filter(M_auth); };
#filter f_logs { facility(syslog); };



destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

###############
log { source(s_local); filter(f_auth); filter(f_info); destination(d_network);  };
#log { source(s_local); filter(f_logs); filter(f_note); destination(d_mesg);  };
#log { source(s_local); filter(f_ssh); filter(f_info); destination(d_hosts);  };

#log {
#source(s_local);
#destination(d_network);
#};

[capricorn80]

Yes the first post is the complete file

[Admin]

First, let's clean it up to only what you're using:

Code:

options {
   create_dirs (yes);

};

source s_local {
          unix-stream ("/dev/log");
          internal();
};

filter f_info { level(info..emerg); };
filter f_auth { facility(auth, authpriv); };

destination d_network {
          file ("/var/log/syslog-ng/$YEAR.$MONTH.$DAY/$HOST/$FACILITY.log");
};

log { source(s_local); filter(f_auth); filter(f_info); destination(d_network);  };

Assuming that does what you want, the filter can be consolidated, or it can be left as it is.

[capricorn80]

ok. i was thinking what information i can get out from /var/log/messages ??

[capricorn80]

i guess by using the  match pattern ...

[Admin]

Ok, I am happy to help you.  Can you explain more of what you want to do?  I am sorry, but I do not understand.