/etc/syslog-ng/syslog-ng.conf - syslog-ng configuration file

The configuration file is read at startup and is reread after receipt of a hangup (HUP) signal.

kill -hup `cat /var/run/syslog-ng.pid`
When reloading the configuration file, destination files are closed.

A message route in syslog-ng is made up from parts:

  1. a source,
  2. a destination and
  3. filtering rules.
source sourcename { sourcedriver params; sourcedriver params; … };

Sourcename is an identifier to refer to this group of messages.
Sourcedriver is a method of getting a given message.

destination destname { destdriver params; destdriver params ; … ; }; filter filtername { expression ; };

expression is a simple boolean expression.
Use "and", "or" and "not" to connect builtin functions.

LOG STATEMENTS

log { source S1; source S2; …
      filter F1; filter F2; …
      destination D1; destination D2; … };

Where Sx refers to one of the declared log sources, Fx one of the filters and Dx one of the destinations.

Filters are ANDed together.

OPTIONS

As an option command they are global.
Some can be included on other commands.

options { opt1; opt2; ... };

chain_hostnames(yes|no) Enable or disable the chained hostname format.
keep_hostname(yes|no) Specifies whether to use hostname as included in the message.
if no hostname is rewritten based on the information where the message was received from.
bad_hostname(regex)
check_hostname(yes|no) for valid characters.
use_dns(yes|no) Enable or disable DNS usage. syslog-ng blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your syslog-ng network endpoint with firewall rules, and make sure that all hosts, which may get to syslog-ng is resolvable.
use_fqdn(yes|no) Add Fully Qualified Domain Name instead of short hostname.
dns_cache(yes|no)
dns_cache_expire(n) seconds while a successful lookup is cached.
dns_cache_expire_failed(n) seconds while a failed lookup is cached.
dns_cache_size(n) Number of hostnames in the DNS cache.
create_dirs(yes|no) Enable or disable directory creation for destination files.
dir_owner(uid) User id.
dir_group(gid) Group id.
dir_perm(perm) Permission value (octal mask).
owner(uid) User id for created files.
group(gid) Group id for created files.
perm(perm) Permission value for created files.
gc_busy_threshold(n) threshold for garbage collector, when syslogng is busy. GC phase starts when the number of allocated objects reach this number. Default: 3000.
gc_idle_threshold(n) threshold for garbage collector, when syslogng is idle. GC phase starts when the number of allocated objects reach this number. Default: 100.
log_fifo_size(n) lines fitting to output queue.
log_msg_size(n) Maximum length of message in bytes (NOTE: some syslogd implementations have a fixed limit of 1024 characters).
mark(n) seconds between two MARK lines.
stats(n) seconds between two STATS messages.
sync(n) number of lines buffered before written to file (can be overridden locally).
time_reap(n) time to wait before an idle destination file is closed.
time_reopen(n) time to wait before a died connection is reestablished.
use_time_recvd(yes|no) used for macro expansion where the meaning of the time specific macros depend on this setting, however as there are separate macros for referring to the received timestamp (R_ macros) and the log message timestamp (S_), so using this value is not recommended.

sample

# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,
#                                         v 1.7 2007/08/02 04:52:18 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett

options { chain_hostnames(off); 
          sync(0); 
          mark(600); 
# The default action is to log a STATS line to the file every 10 minutes.  
# Change it to every 6 hours 6*60*60 =129600
             stats(129600); 
                            };

       sample log:
# Feb 19 09:54:21 myhost -- MARK -- # Feb 19 10:09:27 myhost syslog-ng[7274]: #Log statistics; processed='center(queued)=1270', # processed='center(received)=635', # processed='destination(messages)=635', # processed='destination(console_all)=635', # processed='source(src)=635' # Feb 19 10:29:26 myhost -- MARK -- # Feb 19 10:49:26 myhost -- MARK -- # Feb 19 11:09:26 myhost -- MARK --
source src { unix-stream("/dev/log" max-connections(256)); internal(); file("/proc/kmsg"); }; destination messages { file("/var/log/messages"); }; # By default messages are logged to tty12... destination console_all { file("/dev/tty12"); }; # To use /dev/console for programs like xconsole # comment out the destination line above that references /dev/tty12 # and uncomment the line below. #destination console_all { file("/dev/console"); }; log { source(src); destination(messages); }; log { source(src); destination(console_all); };

COPYRIGHT

syslog-ng Copyright (c) 1999-2004 BalaBit Ltd,
portions were contributed by Jose Pedro Oliveira.

SEE ALSO

syslog-ng, syslog