Okay, so you have installed syslog-ng and integrated into SMF.
Two examples of configuration files for Solaris:
/usr/local/doc/syslogng/contrib/syslog-ng.conf.SunOS
/usr/local/doc/syslogng/doc/examples/syslog-ng.conf.solaris
that comes with installation are not giving you much info, so you'll have to read 'The syslog-ng 3.0 Administrator Guide' - I was reading the Fourth Edition (you'll find it online).
I was testing syslog-ng with conf file you can see below, feel free to use it and play around. I tried to put useful comments there.
And yes, this is just one of many ideas how, what and where to login, it can be tons and tons of different ones and you can find many useful examples on other sites. Have fun.
The syslog-ng.conf is placed in directory /usr/local/etc
@version:3.0
# before activate config file check it using "syslog-ng -s" or "syslog-ng --syntax"
#
# Syslog-ng example configuration file for Solaris
# Copyright (c) 1999 Balazs Scheidler
# $Id: syslog-ng.conf.solaris,v 1.2 1999/11/15 12:30:41 bazsi Exp $
# Solaris 2.5.1 and below uses the STREAMS driver, above extends it
# with doors. For 2.5.1 remove the door() option from the source declaration.
# =========================================================
# Best practices from syslog-ng 3 admin guide
# ==========================================================
# Do not base the separation of log messages into different files on the facility parameter.
# As several applications and processes can use the same facility, the facility does not identify the application that sent the message.
# By default, the facility parameter is not even included in the log message itself.
# In general, sorting the log messages into several different files can make finding specific log messages difficult.
# If you must create separate log files, use the application name.
# Standard log messages include the local time of the sending host, without any time zone information.
# It is recommended to replace this timestamp with an ISODATE timestamp, because the ISODATE
# format includes the year and timezone as well. To convert all timestamps to the ISODATE format, include
# the following line in the syslog-ng configuration file: "ts_format(iso)"
# Resolving the IP addresses of the clients to domain names can decrease the performance of syslog-ng.
# So resolve hostname locally and don't rely on DNS. Use "use_dns(persist_only) and dns_cache_hosts(/etc/hosts)
# Handling many parallel connections
# syslog-ng processes message when receive. To reduce CPU usage, tell syslog-ng
# to wait a short time befpre processign messages. Time is in milliseconds.
# use "time_sleep()" - don't use above 100ms, this will distors timestamp
# With this option also set max number of messages fetch from source during single loop (one connection): log_fetch_limit()
# and set number of lines in destinations' output buffer (output fifo): log_fifo_size()
####################################################################################
# For now all clients are using syslogd and their /etc/syslog.conf file looks like
#
# {testors}/etc> cat /etc/syslog.conf
# *.emerg *
# *.alert root
# *.err;kern.notice;auth.notice /dev/sysmsg
# *.info @gek
# *.info;kern.debug;auth.notice;mail.crit /var/log/syslog
# mail.info /var/log/maillog
# auth.info /var/log/authlog
#
# note: testors = client ; gek = syslog-ng server
###################################################################################
###########################################################################
# first, set up some global options
#########################################################################
options {
# convert all timestamps to ISODATE format - so you get year/timezone
# if template is used with $ISODATE macro, this is not needed to be here
ts_format(iso);
# no need to have timestamp from sending application
keep_timestamp(no);
# handling many parallel connections
time_sleep(20);
log_fetch_limit(100);
log_fifo_size(1024);
# Resolve hostname locally - persist_only wants to resolve hostname locally
use_dns(persist_only);
dns_cache_hosts(/etc/hosts);
# If your hostname contain . - say relay.london, relay.paris, then use FQDN, otherwize you stay without city :)
use_fqdn(yes);
# enable directory creation for destination files
create_dirs(yes);
# default permission for newly created directory
dir_perm(0770);
# enable hostname rewriting. enable this to use hostname-related macros.
keep_hostname(yes);
# If a message traverses several hosts, the first host in the chain is used.
chain_hostnames(yes);
# permission mask of file if created by syslog-ng
perm(0770);
};
##########################################################################################
# Define a source only once. The same source can be used in several log paths.
# Duplicating sources causes syslog-ng to open the source (TCP/IP port, file, etc.)
# more than once, which might cause problems. For example, include the /dev/log file source
# only in one source statement, and use this statement in more than one log path if needed.
#########################################################################################
####################################################################################
# source is where syslog-ng receives log messages, "input" is name for this source
###################################################################################
source s_input {
# messages generated internaly in syslog-ng
internal();
# default for Solaris
sun-streams("/dev/log" door("/etc/.syslog_door"));
# messages arriving on any UDP port and any interface
udp(ip("0.0.0.0"));
# messages arriving on any TCP port on any interface
# keep connection alive/open after receiving SIGHUP signal
tcp(ip("0.0.0.0") keep-alive(yes));
};
#####################################################################
# destination is where log message is sent if filtering rules match
####################################################################
##############################################
## Destination for Program
##############################################
# Destination for program
#
# template_escape() explanation
# This behavior is useful when the messages are passed to an application that cannot
# handle escaped characters properly. Enabling template escaping causes syslog-ng
# to escape the ' and " characters from the messages.
destination d_logfile_program {
file
(
"/var/log/syslog-ng/services/$PROGRAM.log"
template("$ISODATE $HOST $PROGRAM <$FACILITY.$PRIORITY> $MSG\n")
template_escape(yes)
);
};
#####################################
## Destination for Host - syslog
####################################
# Destination for Host - syslog
destination d_logfile_host.syslog {
file
(
"/var/log/syslog-ng/hosts/$HOST.syslog"
template("$ISODATE $HOST $PROGRAM <$FACILITY.$PRIORITY> $MSG\n")
template_escape(yes)
);
};
######################################
## Destination for Host - maillog
######################################
# Destination for Host - maillog
destination d_logfile_host.maillog {
file
(
"/var/log/syslog-ng/hosts/$HOST.maillog"
template("$ISODATE $HOST $PROGRAM <$FACILITY.$PRIORITY> $MSG\n")
template_escape(yes)
);
};
########################################
# Destination for fallback
#######################################
destination d_logfile_fallback {
file
(
"/var/log/syslog-ng/fallback.log"
template("$ISODATE $HOST $PROGRAM <$FACILITY.$PRIORITY> $MSG\n")
template_escape(yes)
);
};
###########################################################################
# filter perform log routing , if log statement has filter
# messages are sent to destination only if they pass all filters of log path
############################################################################
##########################################
# Severity Levels
#########################################
#
# 0 - Emergency: system is unusable
# 1 - Alert: action must be taken immediately
# 2 - Critical: critical conditions
# 3 - Error: error conditions
# 4 - Warning: warning conditions
# 5 - Notice: normal but significant condition
# 6 - Informational: informational message
# 7 - Debug: debug-level message
#
####################################
# Level Filters
#######################################
#filter f_emerg { level (emerg); };
#filter f_alert { level (alert .. emerg); };
#filter f_crit { level (crit .. emerg); };
#filter f_err { level (err .. emerg); };
#filter f_warning { level (warning .. emerg); };
#filter f_notice { level (notice .. emerg); };
filter f_info { level (info .. emerg); };
#filter f_debug { level (debug .. emerg); };
###############################
#
# see file /usr/include/sys/syslog.h
#
# 0 - kernel messages
# 1 - random user-level messages
# 2 - mail system
# 3 - system daemons
# 4 - security/authorization messages
# 5 - messages generated internally by syslogd
# 6 - line printer subsystem
# 7 - network news subsystem
# 8 - UUCP subsystem
# 13 - audit subsystem
# 15 - cron/at subsystem
# 16-23 - locally used facilities (local0-local7)
#
###############################
# Facility Filters
################################
#filter f_kern { facility (0); };
#filter f_user { facility (1); };
filter f_mail { facility (2); };
#filter f_daemon { facility (3); };
#filter f_auth { facility (4); };
#filter f_syslog { facility (5); };
#filter f_lpr { facility (6); };
#filter f_news { facility (7); };
#filter f_uucp { facility (8); };
#filter f_audit { facility (13); };
#filter f_cron { facility (15); };
#filter f_local0 { facility (16); };
#filter f_local1 { facility (17); };
#filter f_local2 { facility (18); };
#filter f_local3 { facility (19); };
#filter f_local4 { facility (20); };
#filter f_local5 { facility (21); };
#filter f_local6 { facility (22); };
#filter f_local7 { facility (23); };
###########################
# match() function for filter
#
# match regular expression to headers/message
# example: filter f_example { program("named") and match("refuse query from *"); };
############################
#####################################
## Program Filters
## Match messages by using a regular expression against the program name field of log message
###################################
filter f_proftpd { program ("proftpd"); };
filter f_named { program ("named"); };
filter f_sshd { program ("sshd"); };
filter f_nagios { program ("nagios"); };
#############################
# Host Filters
############################
filter f_unixlab-1 { host("unixlab-1"); };
filter f_monitor.dc { host("monitor.dc"); };
filter f_testors { host("testors"); };
filter f_counterstrike2 { host("counterstrike2"); };
# We can also have filter for more then one host if they run specific service/program we look for
filter f_hostgroup {
host (unixlab-1)
or
host (testors);
};
#################################################
# Filer for facility mail and levels info-emerg
filter f_mail_info {
filter (f_mail)
and
filter (f_info);
};
################################################
##############################################################
# Filer for levels info-emerg and everything except mail and
# programs we filter separatelly
filter f_syslog_info {
not filter (f_mail)
and not
(
filter (f_proftpd) or
filter (f_named) or
filter (f_sshd) or
filter (f_nagios)
)
and
filter (f_info);
};
##############################################################
#############################################################
# log path determine what happens with incoming log messages
#
# log {
# source(s1);
# filter(f1);
# destination(d1);
# flags(flag1);
# };
############################################################
# Log for $HOST - everything except mails and programs we log separatelly
log { source (s_input); filter (f_syslog_info); destination (d_logfile_host.syslog); };
# Log for $HOST - only mail service
log { source (s_input); filter (f_mail_info); destination (d_logfile_host.maillog); };
# Log for program - proftpd (for all hosts)
log { source (s_input); filter (f_proftpd); destination (d_logfile_program); };
# Log for program - named (for all hosts)
log { source (s_input); filter (f_named); destination (d_logfile_program); };
# Log for program - ssh (for all hosts)
log { source (s_input); filter (f_sshd); destination (d_logfile_program); };
# Log for program - nagios (for all hosts)
log { source (s_input); filter (f_nagios); destination (d_logfile_program); };
# Log for messages not processed by previous messages
log { source(s_input); destination(d_logfile_fallback); flags(fallback); };
Back to the main page