我将Solaris机器从syslogd移动到了syslog-ng,因为Solaris版本的syslogd会删除日志上的原始源主机名。 我正在浏览syslogng.conf文档,但不知道我完全理解这一切。 我们有一个相对简单的syslog.conf,我希望有一个syslog-ng专家可以告诉我如何将其转换为可行的syslogng.conf?
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" /* SunOS 5.0 */ # # Copyright (c) 1991-1998 by Sun Microsystems, Inc. # All rights reserved. # # syslog configuration file. # # This file is processed by m4 so be careful to quote (`') names # that match m4 reserved words. Also, within ifdef's, arguments # containing commas must be quoted. # *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages #*.alert;kern.err;daemon.err operator #*.alert root *.emerg * local7.debug /var/log/ncolog audit.debug /var/log/ncolog local7.debug @nimitz audit.debug @nimitz # if a non-loghost machine chooses to have authentication messages # sent to the loghost machine, un-comment out the following line: #auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost) mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost) # # non-loghost machines will use the following lines to cause "user" # log messages to be logged locally. # ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages #user.alert `root, operator' user.emerg * ) 一旦你理解了它的configuration文件的结构,syslog-ng是非常直接的(但是很多的话)。 在像您这样简单的安装中,您现在需要知道的是您必须configuration源,filter和目标。 我不知道你正在运行的是什么版本的syslog-ng,但是这里是3.0.x的版本(它也适用于更新的版本):
@version 3.0 # syslog source source s_sys { sun-streams ("/dev/log" door("/var/run/syslog_door")); }; # use this instead if you receive logs from network: # source s_sys { udp (); # sun-streams ("/dev/log" door("/var/run/syslog_door")); }; # destinations destination d_sysmsg { file ("/dev/sysmsg"); }; destination d_messages { file ("/var/adm/messages"); }; destination d_ncolog { file ("/var/log/ncolog"); }; destination d_nimitz { udp ("nimitz"); }; destination d_auth { file ("/var/log/authlog"); }; destination d_syslog { file ("/var/log/syslog"); }; destination d_users { usertty ("*"); }; # filters filter f_emerg { priority (emerg); }; filter f_sysmsg { priority (err..emerg) or (facility (kern) or facility (auth)) and priority (notice..emerg); }; filter f_messages { priority (err..emerg) or facility (kern) or facility (daemon) and priority (notice..emerg) or facility (mail) and priority (crit..emerg); }; filter f_local7 { facility (local7); }; filter f_audit { facility (13); }; filter f_mail { facility (mail); }; # log paths log { source (s_sys); filter (f_emerg); destination (d_users); }; log { source (s_sys); filter (f_sysmsg); destination (d_sysmsg); }; log { source (s_sys); filter (f_messages); destination (d_messages); }; log { source (s_sys); filter (f_local7); destination (d_ncolog); destination (d_nimitz); }; log { source (s_sys); filter (f_audit); destination (d_ncolog); destination (d_nimitz); }; log { source (s_sys); filter (f_mail); destination (d_syslog); };
我想我涵盖了一切,但“ifdef”件。 如果您的主机没有在本地保存日志,即它不是LOGHOST,则必须添加另一个目标
destination d_loghost { udp ("loghost"); };
并更改邮件的日志path
log { source (s_sys); filter (f_mail); destination (d_loghost); };