Pot Of Syslog-NG Tricks Version 1
Fixing Duplicate Date and/or Hostname Problems
Some devices send syslog messages with improperly formatted headers, which can cause syslog-ng to append a new set of header information, meaning that the host name and/or date appear twice in the logs. A simple way to solve this is using a template:
source s_net { udp();};
destination d_file { file(“/var/log/file.log” template(“$MSG\n”)); };
log {source(s_net); destination(d_file); };
The template function in the destination definition tells syslog-ng to discard the header from the received message and only keep the actual message data, which is contained in the variable $MSG. Syslog-ng inserts the proper header, using the date the log was received and the host the log came from, resulting in a normal syslog message.
Separating Logs From Different Hosts into Different Log Files
A very common requirement is to separate logs from different hosts into individual files. The simplest form is this:
source s_net { udp(); };
destination d_hosts { file(“/var/log/$HOST.log”; };
log {source(s_net); destination(d_hosts); };
The above configuration creates a file for each host that sends a message in the form “hostname.log”.
Here is another option to explicitly define the hosts and files:
filter f_filtera { host(“host1″); };
filter f_filterb { host(“host2″); };
source s_net { udp(); };
destination d_loga { file(“/var/log/a.log”); };
destination d_logb { file(“/var/log/b.log”); };
log {source(s_net); filter(f_filtera); destination(d_loga); };
log {source(s_net); filter(f_filterb); destination(d_logb); };
Sending An Email Alert Using Syslog-NG
The program() funtion in syslog-ng can do this for us, but not directly. First, we need a small perl script:
emaillogs.pl
#!/usr/bin/perl -n
# thanks to Brian Dowling for an example with security in mind.
$TO = ‘root@localhost’;
$FROM = $TO;
s/^<\d{1,2}>//;
open(MAIL, “|/usr/sbin/sendmail -t”);
print MAIL <<”EOT”;
To: $TO
From: $FROM
Subject: Log Alert: $_
$_
EOT
Next, we configure syslog-ng to use that script:
filter f_failure { match(“failure”); };
source s_net { udp(); };
destination d_alert{ program(“/var/tmp/emaillogs.pl”; };
log {source(s_net); filter(f_failure); destination(d_alert); };
Now, syslog-ng is set to send an email each time a log is received that contains the word “failure”.
The Order of Commands in a Log() Statement is Important
log {source(s_net); filter(f_failure); destination(d_alert); };
is very different from
log {source(s_net); destination(d_file); filter(f_failure);};
In the first case, the log statement works as we would expect. In the second case, ALL logs are sent to the destination. The commands are processed from left to right, and so the filter is not applied until after the log has already been written.
Requests?
Need help with a sysl0g-ng config? Post a comment below, or start a thread in the syslog-ng support forum.