2

I'm moving a Solaris box from syslogd to syslog-ng, because the Solaris version of syslogd obliterates the original source hostname on the logs. I'm looking through the syslogng.conf documentation, but am not sure I understand it all fully. We have a relatively simple syslog.conf, I was hoping a syslog-ng expert out there could tell me how to 'convert' it to a workable syslogng.conf?

#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

#*.alert;kern.err;daemon.err                    operator
#*.alert                                                root

*.emerg                                         *
local7.debug                                    /var/log/ncolog
audit.debug                                     /var/log/ncolog
local7.debug                                    @nimitz
audit.debug                                     @nimitz

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
#user.alert                                     `root, operator'
user.emerg                                      *
)
ewwhite
  • 194,921
  • 91
  • 434
  • 799
coding_hero
  • 221
  • 3
  • 5
  • 11

1 Answers1

3

syslog-ng is very straight forward (but a lot wordier) once you understand the structure of its configuration file. In such a simple installation like yours all you need to know for now is that you have to configure sources, filters, and destinations. I am not sure what version of syslog-ng you are running but here's one for 3.0.x (which will work for more recent versions as well):

@version 3.0

# syslog source
source s_sys { sun-streams ("/dev/log" door("/var/run/syslog_door")); };

# use this instead if you receive logs from network:
# source s_sys { udp ();
#                sun-streams ("/dev/log" door("/var/run/syslog_door")); };

# destinations
destination d_sysmsg { file ("/dev/sysmsg"); };
destination d_messages { file ("/var/adm/messages"); };
destination d_ncolog { file ("/var/log/ncolog"); };
destination d_nimitz { udp ("nimitz"); };
destination d_auth { file ("/var/log/authlog"); };
destination d_syslog { file ("/var/log/syslog"); };
destination d_users { usertty ("*"); };

# filters
filter f_emerg { priority (emerg); };
filter f_sysmsg { priority (err..emerg) or
                  (facility (kern) or facility (auth)) and priority (notice..emerg); };
filter f_messages { priority (err..emerg) or
                    facility (kern) or
                    facility (daemon) and priority (notice..emerg) or
                    facility (mail) and priority (crit..emerg); };
filter f_local7 { facility (local7); };
filter f_audit { facility (13); };
filter f_mail { facility (mail); };

# log paths
log { source (s_sys); filter (f_emerg); destination (d_users); };
log { source (s_sys); filter (f_sysmsg); destination (d_sysmsg); };
log { source (s_sys); filter (f_messages); destination (d_messages); };
log { source (s_sys); filter (f_local7); destination (d_ncolog); destination (d_nimitz); };
log { source (s_sys); filter (f_audit); destination (d_ncolog); destination (d_nimitz); };
log { source (s_sys); filter (f_mail); destination (d_syslog); };

I think I covered everything but the "ifdef" pieces. If your host is not keeping logs locally, i.e. it is not LOGHOST, you have to add another destination

destination d_loghost { udp ("loghost"); };

and change the log path for mail to

log { source (s_sys); filter (f_mail); destination (d_loghost); };
mghocke
  • 796
  • 4
  • 5
  • Thank you so much for this! I'm not entirely comfortable with syslog.conf, so configuring syslog-ng was stretching it. – coding_hero Jul 11 '12 at 00:11
  • When it comes to maintaining host names in syslog entries you may have to play around with some of the syslog-ng options to keep them straight. See http://www.balabit.com/sites/default/files/documents/syslog-ng-v3.0-guide-admin-en.html/reference_options.html for a lot more information. – mghocke Jul 11 '12 at 13:17
  • From what I've read so far, I think the `options { use_fqdn(yes); };` is supposed to do it. At least, that's where I'm going to start. – coding_hero Jul 11 '12 at 16:05
  • I'm getting this error: `Error parsing filter expression, Unknown facility "audit" in /usr/local/etc/syslog-ng.conf at line 38, column 28: filter f_audit { facility (audit); };` – coding_hero Jul 11 '12 at 16:41
  • Posted as a follow-up question [here](http://serverfault.com/questions/406863/configuring-audit-facility-in-syslog-ng-on-solaris-server). – coding_hero Jul 11 '12 at 17:33
  • Ah, I forgot about that. Instead of 'facility (audit)' just say 'facility (13)'. I'll update the question you've opened for this as well. – mghocke Jul 11 '12 at 18:21