very basic syslog-ng filtering + logrotate

(0 comments)

Just something simple today: syslog-ng filtering to different files.

I was getting fed up with /var/log/messages getting clogged with messages from dhcpd and named so I put in some simple filters:

filter f_dhcpd { program(dhcpd); };
filter f_named { program(named); };
filter f_messages { not program(dhcpd); not program(named); };

The first 2 just filter stuff coming from dhcpd and named executables. the 3rd is to exclude those 2 from messages.

Of course I could've also used facility(local7); which is the default in gentoo for dhcpd but i thought it was better this way since I have no idea if something else uses local7 or what for.

To go with the filters 2 simple destinations:

destination dhcpd { file("/var/log/dhcpd.log"); };
destination named { file("/var/log/named.log"); };

and to round it off the log statements:

log { source(src); filter(f_dhcpd); destination(dhcpd); };
log { source(src); filter(f_named); destination(named); };
log { source(src); filter(f_messages); destination(messages); };

Don't forget to add the messages filter otherwise your messages destination will still get dhcpd and named stuff.

One thing I like to forget when doing things like this: add logrotation (using app-admin/logrotate ) for the new logs.

So in gentoo there is /etc/logrotate.d which contains many scripts.. syslog-ng ships the default one for /var/log/messages already. app-admin/syslog-ng comes with this:

#
# Syslog-ng logrotate snippet for Gentoo Linux
# contributed by Michael Sterrett
#

/var/log/messages {
delaycompress
missingok
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}

so one could add more entries to this at the end. since I want to just treat the new log files the same way as /var/log/messages I instead just change it to apply the same for all of them:

/var/log/messages /var/log/dhcpd.log /var/log/named.log {
delaycompress
missingok
sharedscripts
postrotate
/etc/init.d/syslog-ng reload > /dev/null 2>&1 || true
endscript
}

This also means i am only reloading syslog-ng once.

Don't forget to regularily call this or have it in a cronjob. - FWIW lately I prefer sys-process/cronie for that ;)

Current rating: 4

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required