Syslog-ng configuration and rotation script
I’m a big fan of syslog-ng. All my devices which allow the usage of syslog send information to my syslog-ng server.
The server configuration below will send all information to specific day dirs for each device.
options { use_fqdn(yes); keep_hostname(yes); use_dns(yes); long_hostnames(off); sync(0); log_fifo_size(300); create_dirs (yes); perm (0640); dir_perm (0750); }; # Configure on which IP and port(s) we will listen source s_net { tcp(ip("<SERVERIP>") port(51400)); udp(ip("<SERVERIP>") port(514)); tcp(max-connections(500)); }; # This is the default behavior of sysklogd package # Logs come from the unix stream. source src { unix-stream("/dev/log"); internal(); }; # Log destinations. # First some standard logfile destination lpr { file("/var/log/lpr.log"); }; destination mail { file("/var/log/mail.log"); }; # Some `catch-all' logfiles. destination messages { file("/var/log/messages"); }; # Filter options. With this rules, we can set which message go where. filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_messages { level(info..emerg) and not facility(mail,lpr); }; # The logging part log { source(src); filter(f_lpr); destination(lpr); }; log { source(src); filter(f_mail); destination(mail); }; log { source(src); filter(f_messages); destination(messages); }; # Automatic host sorting destination hosts { file("/var/log/syslog-ng/$HOST/$YEAR.$MONTH.$DAY/$FACILITY" owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; # All information send to the server log { source(s_net); destination(hosts); };
The client configuration will send all information to the syslog-ng server but we will also keep the messages and authentication log stored on the local machine.
options { use_fqdn(no); keep_hostname(yes); use_dns(no); long_hostnames(off); sync(0); log_fifo_size(300); }; # Logs come from the unix stream. source src { unix-stream("/dev/log"); internal(); file("/proc/kmsg" log_prefix("kernel: ")); }; # Some `catch-all' logfiles. destination messages { file("/var/log/messages"); }; destination authlog { file("/var/log/auth.log"); }; # Where to send the information destination logserver { tcp("<SERVERIP>" port(514)); }; # Filters filter f_authpriv { facility(auth, authpriv); }; # auth.log file log { source(src); filter(f_authpriv); destination(authlog); }; # Send everything to syslog-ng server log { source(src); destination(logserver); };
After a few months (maybe weeks – depending on the number of devices u have) this will take up quite some space and therefor the following script can be useful. It will create a tar.gz on everything older than 1 week and remove the directory.
#!/bin/bash for i in `ls /var/log/syslog-ng`; do cd /var/log/syslog-ng/$i; for j in `ls | egrep -v ".tar.gz"`; do dir01=`find . -name $j -mtime +7` if [ ! $dir01 = "" ] then echo "$j is more than a week old - creating archive." tar cvfz /var/log/syslog-ng/$i/$j.tar.gz /var/log/syslog-ng/$i/$j rm -rf /var/log/syslog-ng/$i/$j else echo "$j is not more than a week old - skipping." fi done; done;
Just add this to a crontab every night and you’re good to go 🙂 !
Good luck and enjoy!