Настройка syslog-ng в CentOS/RHEL 7

По ряду причин, rsyslog устанавливаемый в CentOS по умолчанию, мне не нравится. Я люблю когда логи упорядочиваются по годам, месяцам, facility, приоритетам. Поэтому первым делом я меняю rsyslog на syslog-ng. Для этого сделаем следующее:

$ yum -y install syslog-ng
$ nano -w /etc/syslog-ng/syslog-ng.conf
@version:3.5
@include "scl.conf"
#----------------------------------------------------------------------------
# /etc/syslog-ng/syslog-ng.conf: configuration file
# $Revision: 0.3-r5 (CentOS Edition by Wakko Warner) $
# $Comment: Any comments please send to wakko@acmelabs.spb.ru $
#----------------------------------------------------------------------------

# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

# Global Options
options {
	# Enable or disable the chained hostname format
	chain_hostnames (off);
	# The number of lines buffered before written to file
	flush_lines (0);
	log_fifo_size (1000);
	# The default action of syslog-ng is to log a STATS line
	# to the file every 10 minutes.  That's pretty ugly after a while.
	# Change it to every 12 hours so you get a nice daily update of
	# how many messages syslog-ng missed (0).
	stats_freq (43200);
	time_reopen (10);
	# The default action of syslog-ng is to log a MARK line
	# to the file every 20 minutes.  That's seems high for most
	# people so turn it down to once an hour.  Set it to zero
	# if you don't want the functionality at all.
	mark_freq(3600);
	# Enable or disable hostname rewriting
	keep_hostname (yes);
	# Enable or disable directory creation for destination files
	create_dirs (yes);
	# userid/groupid/permission value for files
	owner ("root");
	group ("adm");
	perm (0640);
	# userid/groupid/permission value for directories
	dir_owner ("root");
	dir_group ("adm");
	dir_perm (0750);
	# Enable or disable DNS usage
	use_dns (no);
	# Add Fully Qualified Domain Name instead of short hostname
	use_fqdn (no);
	long_hostnames (off);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

# Sources of syslog messages (both local and remote messages on the server)
source s_local {
	system();
	internal();
};
source s_tcp { tcp (ip ("127.0.0.1") port (514) max-connections (1) ); };
source s_udp { udp (ip ("0.0.0.0") port (514)); };

# By default messages are logged to tty12...
#destination d_console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination d_console_all { file("/dev/console"); };
#destination d_console_all { file("/dev/null"); };
destination d_console_all { program("/bin/cat >/dev/null"); };

# Destinations
destination d_usertty { usertty("*"); };
destination d_everything {
	file("/var/log/syslog-$HOST/$YEAR-$MONTH/$FACILITY.$PRIORITY.log"
		template("$FULLDATE $MSGHDR$MSG\n")
		template_escape(no)
	);
};

# Filters
filter f_emergency { level(emerg); };
filter f_fetchmail_warnings {
	not(match("fetchmail" value("PROGRAM"))
	and match("Warning: the connection is insecure, continuing anyways." value("MESSAGE")));
};

log {
	source(s_local);
	filter(f_emergency);
	destination(d_usertty);
};
log {
	source(s_local);
	filter(f_fetchmail_warnings);
	destination(d_everything);
};
log {
	source(s_local);
	filter(f_fetchmail_warnings);
	destination(d_console_all);
};

log {
	source(s_tcp);
	destination(d_everything);
};
log {
	source(s_tcp);
	destination(d_console_all);
};

log {
	source(s_udp);
	destination(d_everything);
};
log {
	source(s_udp);
	destination(d_console_all);
};

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

$ systemctl stop rsyslog.service
$ systemctl start syslog-ng.service
$ systemctl disable rsyslog.service
$ systemctl enable syslog-ng.service
$ yum -y remove rsyslog

Update от 18.12.2015: Не забудьте прочитать эту заметку.

Добавить комментарий