4

Here is the system:

  • SUSE Linux Enterprise Server 10
  • syslog-ng with predefined syslog-ng.conf
  • messages in /var/log/messages look like:

Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

What I need:

  • to log event severity/facility. For instance, add <PRI> at the beginning of the message:

<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

My question is:

How to change syslog-ng.conf to enable this kind of logging?

Thanks.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
user31462
  • 77
  • 2
  • 6

3 Answers3

5

It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)

voretaq7
  • 79,345
  • 17
  • 128
  • 213
2

Based on some quick reading I think you want to use the syslog() driver, which si described in section 8.1.6 of the Syslog-ng Administrator's guide. http://www.balabit.com/support/documentation/?product=syslog-ng

I hope this helps, if I find anything more, I'll let you know.

I think the syslog() driver is meant to be used with the source declaration. so where I have
source external { udp(); };

You might use
source external { syslog(transport("udp")); };

I don't have a suitable testing environment to try this out on, but I think this is what you want to do, if I understand your question correctly.

I went back and looked and it turns out there's a macro you can use in your destination called TAG.

e.g.
destination d_all { file("/log/$FACILITY.log" group("users") template_escape(no) template("$TAG $PRIORITY $S_DATE $HOST $MSG\n")); };
These macros are defined around page 218 of the admin guide.

thepocketwade
  • 1,525
  • 5
  • 16
  • 27
  • Truth be told, I failed to find any real-life example of changes you need to make for this stuff. – user31462 Feb 08 '10 at 15:34
  • Actually, I don't have source external { udp(); }; in my config. What I have is slightly different: source src { internal(); unix-dgram("/dev/log"); }; – user31462 Feb 08 '10 at 16:36
1

If you have a destination configured as so:

destination syslog-consumer { unix-stream("/var/run/syslog-output"); };

syslog messages headed to syslog-consumer get sent to that socket in the format you want.

You'll just need to setup something to listen to that socket and write to a file.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Is there some other way without listening to the socket? I wonder why can't I add something to this declaration ... destination messages { file("/var/log/messages"); }; log { source(src); filter(f_messages); destination(messages); }; ... to add field in /var/log/messages... – user31462 Feb 08 '10 at 16:32
  • I posted this particular method since my log consumer just listened to the socket without any intermediate files. Thought it might fit your need :) – MikeyB Feb 08 '10 at 18:26