Oct 22, 2013

Moving on to syslog-ng 3.4 (I)

syslog-ng is an open source implementation of the Syslog protocol for Unix and Unix-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog.

Upgrading to version 3.4 is as good as any other excuse to create a custom configuration and fit syslog-ng to our needs.

The basics

syslog-ng configuration file is pretty forward, the idea behind it is to set what you want to monitor, how you want to do it and where you want to save it. This is a basic configuration example:
@version: 3.4

# Global options
options {
# Create new dirs if needed
# log a MARK line every hour.
# log a STATS line every hour.
# Enable multi-thread

# Sources
source s_all { system(); internal(); };

# Destinations
destination d_syslog { file("/var/log/messages"); };

# Log
log { source(s_all); destination(d_syslog); };

Lets split the configuration in its respective parts to make it easier to understand.

Global Options

The global options configure syslog-ng basic features and behaviours. Its wise to read them all and add them to your configuration file if you want to configure something different from the default behaviour. You can check all available options in Chapter 9.2 of the Administration Guide.


Configure where does syslog-ng need to look, the basic configuration is the following:
source <name> { <source_type> };
Being <source_type> one of the following: internal(), file(), pacct(), pipe(), program(), sun-stream(), sun-streams(), syslog(), system(), tcp(), tcp6(), udp(), udp6(), unix-dgram(), unix-stream(). You can check what does each one do in Table 6.2 of the Administration Guide.


They aren't included in the example, but you can create filters to filter by facility, level, program or source amongst others. This will let you divide all the messages from the same source between the log files you want. For example, if you want to filter all ftp messages, you can create a filter like this:
filter f_ftp { facility(ftp); };
Then you could use that filter in a log statement to save those logs in the destination you choose.


Where you want to save your logs, either local or remote. In this case, we're gonna use a local file instead, but you can check all possible destinations (including SMTP) in Table 7.1 of the Administrator Guide.


Log statements assemble one or more of all the following statements (sources, filters and destinations) to build the chain that will be followed for every log we want. As said before, the basic is to select where to get the log (source), you can select how to parse it (filter) and where to store it (destination).

So, finishing our FTP monitor example, this should be the resulting code to create a log for FTP:
source s_all { system(); internal(); };
filter f_ftp { facility(ftp); };
destination d_ftp { file("/var/log/ftp.log"); };
log { source(s_all); filter(f_ftp); destination(d_ftp); };