syslog-ng.conf for Solaris[edit]
Here is a little guide to the setting i used for syslog-ng on Solaris, with extracts from the documentation
Global options[edit]
options { flush_lines (100);
flush_timeout(1000);
time_reopen (10);
log_fifo_size (1000);
normalize_hostnames(yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
chain_hostnames(no);
use_dns (yes);
dns_cache(yes);
dns_cache_expire(43800);
check_hostname(yes);
dir_perm(0755);
perm(0644);
};
| Name | Accepted values | Default | Description |
|---|---|---|---|
| flush_lines() | number | Use global setting. | Specifies how many lines are flushed to a destination at a time. Syslog-ng waits for this number of lines to accumulate and sends them off in a single batch. Setting this number high increases throughput as fully filled frames are sent to the network, but also increases message latency. The latency can be limited by the use of the flush_timeout option. |
| flush_timeout() | time in milliseconds | Use global setting. | Specifies the time syslog-ng waits for lines to accumulate in its output buffer. See the flush_lines option for more information. |
| time_reopen() | number | 60 | The time to wait in seconds before a dead connection is reestablished. |
| log_fifo_size() | number | 1000 | The number of lines fitting to the output queue. Note that it is not possible to set this option lower than 1000. |
| normalize_hostnames() | yes or no | no | Normalize hostnames, which currently translates to converting them to lower case. (requires 1.9.9) |
| use_fqdn() | yes or no | no | Add Fully Qualified Domain Name instead of short hostname. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available. |
| create_dirs() | yes or no | no | Enable or disable directory creation for destination files. |
| dir_perm() | permission value | 0700 | The default permission for newly created directories. |
| perm() | permission value | 0600 | The default permission for output files. By default, syslog-ng changes the privileges of accessed files (e.g., /dev/null) to root.root 0600. To disable modifying privileges, use this option with the -1 value. |
| keep_hostname() | yes or no | no | Enable or disable hostname rewriting. Enable this option to use hostname-related macros. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available. When relaying messages, enable this option on the syslog-ng server and also on every relay, otherwise syslog-ng will treat incoming messages as if they were sent by the last relay. |
| chain_hostnames() | yes or no | no | Enable or disable the chained hostname format. (Support for relayed syslog servers passing through client hostnames) |
| use_dns() | yes, no, persist_only | yes | Enable or disable DNS usage. The persist_only option attempts to resolve hostnames locally from file (e.g., from /etc/hosts). syslog-ng blocks on DNS queries, so enabling DNS may lead to a Denial of Service attack. To prevent DoS, protect your syslog-ng network endpoint with firewall rules, and make sure that all hosts which may get to syslog-ng are resolvable. This option can be specified globally, and per-source as well. The local setting of the source overrides the global option if available. |
| dns_cache() | yes or no | yes | Enable or disable DNS cache usage. |
| dns_cache_expire() | number | 3600 | Number of seconds while a successful lookup is cached. |
| check_hostname() | yes or no | no | Enable or disable checking whether the hostname contains valid characters. |
Rules[edit]
The syslog conf file works on a set of rules, rules are defined in a simple way:
rule-type rule-name { rule1 ; rule2 ; rule3 } ;
Rule names can be what ever you want but its simpler to understand if name then logically eg all my source rule names start with "s_", Filters rules with "f_" but this your choice.
Sources[edit]
We define the source's for syslog data, We have two sources: 's_local' that points to the Solaris syslog door file and syslog-ngs internal messages 's_udp' that listens on the standard syslog udp port
# Sources of syslog messages (both local and remote messages on the server)
source s_local {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
};
source s_udp { udp(); };
| Name | Description | |
|---|---|---|
| sun-stream(), sun-streams() | Opens the specified STREAMS device on Solaris systems and reads incoming messages. | sun-streams(name_of_the_streams_device door(filename_of_the_door)); |
| internal() | Messages generated internally in syslog-ng. | |
| udp(), udp6() | Listens on the specified UDP port for incoming messages using the BSD-syslog protocol over IPv4 and IPv6 networks, respectively. | By default bind's to the 0.0.0.0:514 address, which means that syslog-ng will listen on all available interfaces, port 514. |
Filters[edit]
Ok so i have quite a few filters but might as well have them defined in case we want to use them in future.
I have two types defined (well 3 ones a combination), 'level' filters and 'facility' filters, these are the standard syslog format:
##Inclusive ones
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
##exclusive ones
filter f_warning_e { level (warning); };
filter f_notice_e { level (notice); };
# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_auth { facility (auth); };
filter f_auth_not { not facility (auth); };
# Custom Filters
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
| Name | Synopsis | Description |
|---|---|---|
| facility() | facility(facility[,facility]) | Match messages having one of the listed facility code. An alternate syntax permits the use an arbitrary facility codes. |
| facility() | facility(<numeric facility code>) | An alternate syntax for facility permitting the use of an arbitrary facility code. Facility codes 0-23 are predefined and can be referenced by their usual name. Facility codes above 24 are not defined but can be used by this alternate syntax. |
| level() or priority() | level(pri[,pri1..pri2[,pri3]]) | Match messages based on priority. |
| filter() | filter(filtername) | Call another filter rule and evaluate its value. |
The level() filter can select messages corresponding to a single importance level, or a level-range. To select messages of a specific level, use the name of the level as a filter parameter, e.g., use the following to select warning messages:
level(warning)
To select a range of levels, include the beginning and the ending level in the filter, separated with two dots (..). For example, to select every message of error or higher level, use the following filter:
level(err..emerg)
Similarly, messages sent by a range of facilities can also be selected. Note that this is only possible when using the name of the facilities. It is not possible to select ranges the numerical codes of the facilities.
facility(local0..local5)
Here is the full syslog.conf i use for our Solaris 10 servers:
@version: 3.0
# Options
options { flush_lines (100);
flush_timeout(1000);
time_reopen (10);
log_fifo_size (1000);
normalize_hostnames(yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
chain_hostnames(no);
use_dns (yes);
dns_cache(yes);
dns_cache_expire(43800);
check_hostname(yes);
dir_perm(0755);
perm(0644);
};
# Sources of syslog messages (both local and remote messages on the server)
source s_local {
sun-streams("/dev/log" door("/etc/.syslog_door"));
internal();
};
source s_stunnel {
tcp(ip("127.0.0.1")
port(514)
max-connections(1));
};
source s_udp { udp(); };
# Level Filters -
##Inclusive ones
filter f_emerg { level (emerg); };
filter f_alert { level (alert .. emerg); };
filter f_crit { level (crit .. emerg); };
filter f_err { level (err .. emerg); };
filter f_warning { level (warning .. emerg); };
filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
filter f_debug { level (debug .. emerg); };
##exclusive ones
filter f_emerg_e { level (emerg); };
filter f_alert_e { level (alert); };
filter f_crit_e { level (crit); };
filter f_err_e { level (err); };
filter f_warning_e { level (warning); };
filter f_notice_e { level (notice); };
filter f_info_e { level (info); };
filter f_debug_e { level (debug); };
# Facility Filters
filter f_kern { facility (kern); };
filter f_user { facility (user); };
filter f_mail { facility (mail); };
filter f_daemon { facility (daemon); };
filter f_auth { facility (auth); };
filter f_auth_not { not facility (auth); };
filter f_syslog { facility (syslog); };
filter f_lpr { facility (lpr); };
filter f_news { facility (news); };
filter f_uucp { facility (uucp); };
filter f_cron { facility (cron); };
filter f_local0 { facility (local0); };
filter f_local1 { facility (local1); };
filter f_local2 { facility (local2); };
filter f_local3 { facility (local3); };
filter f_local4 { facility (local4); };
filter f_local5 { facility (local5); };
filter f_local6 { facility (local6); };
filter f_local7 { facility (local7); };
# Custom Filters
filter f_user_none { not facility (user); };
filter f_kern_debug { filter (f_kern) and filter (f_debug); };
filter f_daemon_notice { filter (f_daemon) and filter (f_notice); };
filter f_mail_crit { filter (f_mail) and filter (f_crit); };
filter f_mesg { filter (f_kern_debug) or
filter (f_daemon_notice) or
filter (f_mail_crit); };
filter f_authinfo { filter (f_auth) or program (sudo); };
filter f_crond_not { not program(CROND); };
# Destinations:
##local files, the console, and the client files
destination l_authlog { file ("/var/log/authlog"); };
destination l_messages { file ("/var/adm/messages"); };
destination l_maillog { file ("/var/log/maillog"); };
destination l_ipflog { file ("/var/log/ipflog"); };
destination l_imaplog { file ("/var/log/imaplog"); };
destination l_syslog { file ("/var/log/syslog"); };
destination l_console { file ("/dev/console"); };
## for "remote files"
destination r_authlog { file ("/var/log/clients/$HOST/authlog"); };
destination r_messages { file ("/var/log/clients/$HOST/messages"); };
destination r_maillog { file ("/var/log/clients/$HOST/maillog"); };
destination r_ipflog { file ("/var/log/clients/$HOST/ipflog"); };
destination r_imaplog { file ("/var/log/clients/$HOST/imaplog"); };
destination r_console { file ("/var/log/clients/$HOST/consolelog"); };
destination r_syslog { file ("/var/log/clients/$HOST/syslog"); };
destination r_fallback { file ("/var/log/clients/$HOST/$FACILITY-$LEVEL"); };
# Log statements
## Local sources
#log { source (s_local); filter (f_emerg); filter (f_user_none); destination (l_console); };
log { source (s_local); filter (f_emerg); destination (l_console); };
log { source (s_local); filter (f_err_e); destination (l_console); };
log { source (s_local); filter (f_kern); filter (f_notice); destination (l_console); };
log { source (s_local); filter (f_auth); filter (f_notice); destination (l_console); };
log { source (s_local); filter (f_authinfo); filter (f_notice); destination (l_authlog); };
log { source (s_local); filter (f_notice); filter (f_auth_not); destination (l_messages); };
log { source (s_local); filter (f_mail); destination (l_maillog); };
## Remote sources
### some specific host - We want info level for these hosts too
filter r_host_hsm { host('my-host-web.*'); };
log { source (s_udp) ; filter (f_info_e); filter (r_host_hsm); filter (f_crond_not); destination (r_messages); };
### Standard hosts
log { source (s_local); source (s_stunnel); source (s_udp) ; filter (f_notice); destination (r_messages); };