Syslog-ng configuration and rotation script

Syslog-ng configuration and rotation script

I’m a big fan of syslog-ng. All my devices which allow the usage of syslog send information to my syslog-ng server.

The server configuration below will send all information to specific day dirs for each device.

options { 
        use_fqdn(yes); 
        keep_hostname(yes); 
        use_dns(yes); 
        long_hostnames(off); 
        sync(0); 
        log_fifo_size(300); 
        create_dirs (yes);
        perm (0640);
        dir_perm (0750);
};

# Configure on which IP and port(s) we will listen
source s_net { 
        tcp(ip("<SERVERIP>") port(51400)); 
        udp(ip("<SERVERIP>") port(514));
        tcp(max-connections(500));
};

# This is the default behavior of sysklogd package
# Logs come from the unix stream.
source src { 
        unix-stream("/dev/log"); 
        internal(); 
};
 
# Log destinations.
 
# First some standard logfile
destination lpr { 
        file("/var/log/lpr.log");
};

destination mail { 
        file("/var/log/mail.log"); 
};
 
# Some `catch-all' logfiles.
destination messages { 
        file("/var/log/messages"); 
};
 
# Filter options. With this rules, we can set which message go where. 
filter f_lpr { 
        facility(lpr); 
};

filter f_mail {
        facility(mail); 
};

filter f_messages { 
        level(info..emerg) and not facility(mail,lpr); 
};
 
# The logging part
log { 
        source(src); 
        filter(f_lpr); 
        destination(lpr); 
};

log { 
        source(src); 
        filter(f_mail); 
        destination(mail); 
};

log { 
        source(src); 
        filter(f_messages); 
        destination(messages); 
};

# Automatic host sorting
destination hosts { 
        file("/var/log/syslog-ng/$HOST/$YEAR.$MONTH.$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); 
};

# All information send to the server
log { 
        source(s_net); 
        destination(hosts); 
};

The client configuration will send all information to the syslog-ng server but we will also keep the messages and authentication log stored on the local machine.

options { 
        use_fqdn(no); 
        keep_hostname(yes); 
        use_dns(no); 
        long_hostnames(off); 
        sync(0); 
        log_fifo_size(300); 
};

# Logs come from the unix stream.
source src { 
        unix-stream("/dev/log"); 
        internal(); 
        file("/proc/kmsg" log_prefix("kernel: "));
};
 
# Some `catch-all' logfiles.
destination messages { 
        file("/var/log/messages"); 
};

destination authlog { 
        file("/var/log/auth.log"); 
};
 
# Where to send the information
destination logserver {
        tcp("<SERVERIP>" port(514));
};

# Filters
filter f_authpriv { 
        facility(auth, authpriv); 
};

# auth.log file
log { 
        source(src); 
        filter(f_authpriv); 
        destination(authlog); 
};

# Send everything to syslog-ng server
log { 
        source(src); 
        destination(logserver); 
};

After a few months (maybe weeks – depending on the number of devices u have) this will take up quite some space and therefor the following script can be useful. It will create a tar.gz on everything older than 1 week and remove the directory.

#!/bin/bash
for i in `ls /var/log/syslog-ng`; do
        cd /var/log/syslog-ng/$i;
        for j in `ls | egrep -v ".tar.gz"`; do
                dir01=`find . -name $j -mtime +7`
                if [ ! $dir01 = "" ]
                then
                        echo "$j is more than a week old - creating archive."
                        tar cvfz /var/log/syslog-ng/$i/$j.tar.gz /var/log/syslog-ng/$i/$j
                        rm -rf /var/log/syslog-ng/$i/$j
                else
                        echo "$j is not more than a week old - skipping."
                fi
        done;
done;

Just add this to a crontab every night and you’re good to go 🙂 !

Good luck and enjoy!

Comments are closed.