Ok, I can't quite figure out how to make this work. I want to simultaneously log everything for facility local5 in a local file and a remote syslog-ng server. local7 is working fine getting the boot.log log entries transferred over to the syslog-ng server, but not so much with local5. Local logging of local5.* on the client is working fine now.
SERVER: /etc/syslog-ng/syslog-ng.conf (excerpt below)
options { log_fifo_size(8192);
# garden gnomes shouldn't log (Gnome has a buggy log implementation) # needs to be set on client systems, too... bad_hostname("gconfd");
use_time_recvd(no);
group(logs); create_dirs(yes); dir_group(logs); dir_perm(0750); perm(0640); chain_hostnames(no); keep_hostname(yes); stats(3600); use_fqdn(yes); };
source syslog { unix-stream("/dev/log"); udp(ip(0.0.0.0) port(514)); tcp(ip(0.0.0.0) port(5149) max-connections(300)); internal(); };
destination mylogfile.log { file(/var/log/syslog-ng/$HOST/mylogfile.log); };
destination boot.log { file(/var/log/syslog-ng/$HOST/boot.log); };
filter f_local7 { facility(local7); };
filter f_local5 { facility(local5); };
log { source(syslog); filter(f_local7); destination(boot.log); };
log { source(syslog); filter(f_local5); destination(mylogfile.log); };
CLIENT /etc/syslog.conf excerpt
*.* @syslogngbox local7.* /var/log/boot.log local5.* /var/log/mylogfile.log
UPDATE:
The problem seems to be on the client side, because when I do this:
logger -p local5.info test
the file does show up properly on the syslog-ng host. Anyone have an idea why the other processes that write to local5 on the client are not logging to the remote host?
local5.* /var/log/mylogfile.log
I have also found that there are a small handful of hosts that seem to spit out a line or two of log output once in a while on the server, but have not yet identified a pattern.
-
Sean Carolan