Solaris syslog-ng.conf

syslog-ng.conf for Solaris
Here is a little guide to the setting i used for syslog-ng on Solaris, with extracts from the documentation

First the Global options: options { flush_lines (100); flush_timeout(1000); time_reopen (10); log_fifo_size (1000); normalize_hostnames(yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); chain_hostnames(no); use_dns (yes); dns_cache(yes); dns_cache_expire(43800); check_hostname(yes); dir_perm(0755); perm(0644); };

Here is the full syslog.conf i use for our Solaris 10 servers: @version: 3.0


 * 1) Options

options { flush_lines (100); flush_timeout(1000); time_reopen (10); log_fifo_size (1000); normalize_hostnames(yes); use_fqdn (no); create_dirs (yes); keep_hostname (yes); chain_hostnames(no); use_dns (yes); dns_cache(yes); dns_cache_expire(43800); check_hostname(yes); dir_perm(0755); perm(0644); };

source s_local  { sun-streams("/dev/log" door("/etc/.syslog_door")); internal; };          source s_stunnel { tcp(ip("127.0.0.1")                  port(514)                             max-connections(1)); };
 * 1) Sources of syslog messages (both local and remote messages on the server)

source s_udp    { udp; };

filter f_emerg  { level (emerg);            }; filter f_alert  { level (alert .. emerg);   }; filter f_crit   { level (crit .. emerg);    }; filter f_err    { level (err .. emerg);     }; filter f_warning { level (warning .. emerg); }; filter f_notice { level (notice .. emerg);  }; filter f_info   { level (info .. emerg);    }; filter f_debug  { level (debug .. emerg);   }; filter f_emerg_e  { level (emerg);   }; filter f_alert_e  { level (alert);   }; filter f_crit_e   { level (crit);    }; filter f_err_e    { level (err);     }; filter f_warning_e { level (warning); }; filter f_notice_e { level (notice);  }; filter f_info_e   { level (info);    }; filter f_debug_e  { level (debug);   }; filter f_kern  { facility (kern);   }; filter f_user  { facility (user);   }; filter f_mail  { facility (mail);   }; filter f_daemon { facility (daemon); }; filter f_auth  { facility (auth);   }; filter f_auth_not  { not facility (auth);   }; filter f_syslog { facility (syslog); }; filter f_lpr   { facility (lpr);    }; filter f_news  { facility (news);   }; filter f_uucp  { facility (uucp);   }; filter f_cron  { facility (cron);   }; filter f_local0 { facility (local0); }; filter f_local1 { facility (local1); }; filter f_local2 { facility (local2); }; filter f_local3 { facility (local3); }; filter f_local4 { facility (local4); }; filter f_local5 { facility (local5); }; filter f_local6 { facility (local6); }; filter f_local7 { facility (local7); }; filter f_user_none    { not facility (user);                     }; filter f_kern_debug   { filter (f_kern) and filter (f_debug);    }; filter f_daemon_notice { filter (f_daemon) and filter (f_notice); }; filter f_mail_crit    { filter (f_mail) and filter (f_crit);     }; filter f_mesg         { filter (f_kern_debug) or                                            filter (f_daemon_notice) or                                         filter (f_mail_crit);                    }; filter f_authinfo     { filter (f_auth) or program (sudo);       }; filter f_crond_not    { not program(CROND); }; destination l_authlog { file ("/var/log/authlog");   }; destination l_messages { file ("/var/adm/messages"); }; destination l_maillog { file ("/var/log/maillog");   }; destination l_ipflog  { file ("/var/log/ipflog");    }; destination l_imaplog { file ("/var/log/imaplog");   }; destination l_syslog  { file ("/var/log/syslog");    }; destination l_console { file ("/dev/console");       };
 * 1) Level Filters -
 * 2) Inclusive ones
 * 1) exclusive ones
 * 1) Facility Filters
 * 1) Custom Filters
 * 1) Destinations:
 * 2) local files, the console, and the client files

destination r_authlog { file ("/var/log/clients/$HOST/authlog");    }; destination r_messages { file ("/var/log/clients/$HOST/messages");  }; destination r_maillog { file ("/var/log/clients/$HOST/maillog");    }; destination r_ipflog  { file ("/var/log/clients/$HOST/ipflog");     }; destination r_imaplog { file ("/var/log/clients/$HOST/imaplog");    }; destination r_console { file ("/var/log/clients/$HOST/consolelog"); }; destination r_syslog  { file ("/var/log/clients/$HOST/syslog");     }; destination r_fallback { file ("/var/log/clients/$HOST/$FACILITY-$LEVEL"); }; log { source (s_local); filter (f_emerg); destination (l_console); }; log { source (s_local); filter (f_err_e); destination (l_console); }; log { source (s_local); filter (f_kern); filter (f_notice); destination (l_console); }; log { source (s_local); filter (f_auth); filter (f_notice); destination (l_console); }; log { source (s_local); filter (f_authinfo); filter (f_notice); destination (l_authlog); }; log { source (s_local); filter (f_notice); filter (f_auth_not); destination (l_messages); }; log { source (s_local); filter (f_mail); destination (l_maillog); }; filter r_host_hsm { host('my-host-web.*'); }; log { source (s_udp) ; filter (f_info_e); filter (r_host_hsm); filter (f_crond_not); destination (r_messages); }; log { source (s_local); source (s_stunnel); source (s_udp) ; filter (f_notice);  destination (r_messages); };
 * 1) for "remote files"
 * 1) Log statements
 * 2) Local sources
 * 3) log { source (s_local); filter (f_emerg); filter (f_user_none); destination (l_console); };
 * 1) Remote sources
 * 1) some specific host  - We want info level for these hosts too
 * 1) Standard hosts