very basic syslog-ng filtering + logrotate

(0 comments)

Just something simple today: syslog-ng filtering to different files.

I was getting fed up with /var/log/messages getting clogged with messages from dhcpd and named so I put in some simple filters:

filter f_dhcpd { program(dhcpd); };
filter f_named { program(named); };
filter f_messages { not program(dhcpd); not program(named); };

The first 2 just filter stuff coming from dhcpd and named executables. the 3rd is to exclude those 2 from messages.

Of course I could've also used facility(local7); which is the default in gentoo for dhcpd but i thought it was better this way since I have no idea if something else uses local7 or what for.

To go with the filters 2 simple destinations:

destination dhcpd { file("/var/log/dhcpd.log"); };
destination named { file("/var/log/named.log"); };

and to round it off the log statements:

log { source(src); filter(f_dhcpd); destination(dhcpd); };
log { source(src); filter(f_named); destination(named); };
log { source(src); filter(f_messages); destination(messages); };

Don't forget to add the messages filter otherwise your messages destination will still get dhcpd and named stuff.

One thing I like to forget when doing things like this: add logrotation (using app-admin/logrotate ) for the new logs.

So in gentoo there is /etc/logrotate.d which contains many scripts.. syslog-ng ships the default one for /var/log/messages already. app-admin/syslog-ng comes with this:

#
# Syslog-ng logrotate snippet for Gentoo Linux
# contributed by Michael Sterrett
#

/var/log/messages {
delaycompress
missingok
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}

so one could add more entries to this at the end. since I want to just treat the new log files the same way as /var/log/messages I instead just change it to apply the same for all of them:

/var/log/messages /var/log/dhcpd.log /var/log/named.log {
delaycompress
missingok
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}

This also means i am only reloading syslog-ng once.

Don't forget to regularily call this or have it in a cronjob. - FWIW lately I prefer sys-process/cronie for that ;)

Current rating: 4

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

Recent Posts

Archive

2020
2019
2018
2014
2012
2011
2010
2009
2008
2007

Categories

Authors

Feeds

RSS / Atom