/etc/syslog-ng/syslog-ng.conf
- syslog-ng configuration file
The configuration file is read at startup and is reread after receipt of a hangup (HUP
) signal.
kill -hup `cat /var/run/syslog-ng.pid`
When reloading the configuration file, destination files are closed.
A message route in syslog-ng is made up from parts:
- a source,
- a destination and
- filtering rules.
source sourcename { sourcedriver params; sourcedriver params; … };
Sourcename
is an identifier to refer to this group of messages.
Sourcedriver
is a method of getting a given message.
- file filename - reads messages from file
- unix-dgram filename - reads messages from AF_UNIX, SOCK_DGRAM socket (BSDi style)
- unix-stream filename - reads messages from AF_UNIX, SOCK_STREAM socket (Linux style)
- udp ip,port - network source using UDP protocol. To not bind to a specific interface use 0.0.0.0.
- tcp ip,port - network source using TCP protocol.
- sun-streams filename - local source used on Solaris systems
destination destname { destdriver params; destdriver params ; … ; };
- file filename
- unix-dgram filename
- unix-stream filename
- udp ip [,port]
- tcp ip,port
- usertty username - sends log to the given user's terminal
filter filtername { expression ; };
expression
is a simple boolean expression.
Use "and", "or" and "not" to connect builtin functions.
- facility(list of comma seperated facility names)
- level(list priority names OR range separated by "..")
- program(regexp to match program name)
- host(regexp to match program name)
- match(regexp to match program name)
LOG STATEMENTS
log { source S1; source S2; …
filter F1; filter F2; …
destination D1; destination D2; … };
Where Sx
refers to one of the declared log sources, Fx
one of the filters and Dx
one of the destinations.
Filters are ANDed together.
OPTIONS
As an option
command they are global.
Some can be included on other commands.
options { opt1; opt2; ... };
chain_hostnames(yes|no) Enable or disable the chained hostname format.
| keep_hostname(yes|no) Specifies whether to use hostname as included in the message.
if no hostname is rewritten based on the information where the message was received from.
| bad_hostname(regex)
| check_hostname(yes|no) for valid characters.
| use_dns(yes|no) Enable or disable DNS usage. syslog-ng blocks on DNS queries,
so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your syslog-ng network endpoint with firewall rules, and make sure that all hosts, which may get to syslog-ng is resolvable.
| use_fqdn(yes|no) Add Fully Qualified Domain Name instead of short hostname.
| dns_cache(yes|no)
| dns_cache_expire(n) seconds while a successful lookup is cached.
| dns_cache_expire_failed(n) seconds while a failed lookup is cached.
| dns_cache_size(n) Number of hostnames in the DNS cache.
| create_dirs(yes|no) Enable or disable directory creation for destination files.
| dir_owner(uid) User id.
| dir_group(gid) Group id.
| dir_perm(perm) Permission value (octal mask).
| owner(uid) User id for created files.
| group(gid) Group id for created files.
| perm(perm) Permission value for created files.
| gc_busy_threshold(n) threshold for garbage collector, when syslogng is busy. GC phase starts when the number of allocated objects reach this number. Default: 3000.
| gc_idle_threshold(n) threshold for garbage collector, when syslogng is idle. GC phase starts when the number of allocated objects reach this number. Default: 100.
| log_fifo_size(n) lines fitting to output queue.
| log_msg_size(n) Maximum length of message in bytes (NOTE: some syslogd implementations have a fixed limit of 1024 characters).
| mark(n) seconds between two MARK lines.
| stats(n) seconds between two STATS messages.
| sync(n) number of lines buffered before written to file (can be overridden locally).
| time_reap(n) time to wait before an idle destination file is closed.
| time_reopen(n) time to wait before a died connection is reestablished.
| use_time_recvd(yes|no) used for macro expansion where the meaning
of the time specific macros depend on this setting, however as there are separate macros for referring to the received timestamp (R_ macros) and the log message timestamp (S_), so using this value is not recommended.
| | | | | | | | | | | | | | | | | | | | | | | | | | | |
sample
# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,
# v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett
options { chain_hostnames(off);
sync(0);
mark(600);
# The default action is to log a STATS line to the file every 10 minutes.
# Change it to every 6 hours 6*60*60 =129600
stats(129600);
};
sample log:
# Feb 19 09:54:21 myhost -- MARK --
# Feb 19 10:09:27 myhost syslog-ng[7274]:
#Log statistics; processed='center(queued)=1270',
# processed='center(received)=635',
# processed='destination(messages)=635',
# processed='destination(console_all)=635',
# processed='source(src)=635'
# Feb 19 10:29:26 myhost -- MARK --
# Feb 19 10:49:26 myhost -- MARK --
# Feb 19 11:09:26 myhost -- MARK --
source src { unix-stream("/dev/log" max-connections(256));
internal();
file("/proc/kmsg");
};
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# To use /dev/console for programs like xconsole
# comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); destination(messages); };
log { source(src); destination(console_all); };
|
COPYRIGHT
syslog-ng Copyright (c) 1999-2004
BalaBit Ltd,
portions were contributed by Jose Pedro Oliveira.
SEE ALSO
syslog-ng, syslog