Configuring syslog-ng in CentOS/RHEL 7

For a number of reasons, rsyslog is installed in the default CentOS, I do not like. I love when the logs are sorted by year, month, facility, priorities. So the first thing I change rsyslog in syslog-ng. To do this, do the following:

$ yum -y install syslog-ng
$ nano -w /etc/syslog-ng/syslog-ng.conf
@version:3.5
@include "scl.conf"
#----------------------------------------------------------------------------
# /etc/syslog-ng/syslog-ng.conf: configuration file
# $Revision: 0.3-r5 (CentOS Edition by Wakko Warner) $
# $Comment: Any comments please send to wakko@acmelabs.spb.ru $
#----------------------------------------------------------------------------

# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

# Global Options
options {
	# Enable or disable the chained hostname format
	chain_hostnames (off);
	# The number of lines buffered before written to file
	flush_lines (0);
	log_fifo_size (1000);
	# The default action of syslog-ng is to log a STATS line
	# to the file every 10 minutes.  That's pretty ugly after a while.
	# Change it to every 12 hours so you get a nice daily update of
	# how many messages syslog-ng missed (0).
	stats_freq (43200);
	time_reopen (10);
	# The default action of syslog-ng is to log a MARK line
	# to the file every 20 minutes.  That's seems high for most
	# people so turn it down to once an hour.  Set it to zero
	# if you don't want the functionality at all.
	mark_freq(3600);
	# Enable or disable hostname rewriting
	keep_hostname (yes);
	# Enable or disable directory creation for destination files
	create_dirs (yes);
	# userid/groupid/permission value for files
	owner ("root");
	group ("adm");
	perm (0640);
	# userid/groupid/permission value for directories
	dir_owner ("root");
	dir_group ("adm");
	dir_perm (0750);
	# Enable or disable DNS usage
	use_dns (no);
	# Add Fully Qualified Domain Name instead of short hostname
	use_fqdn (no);
	long_hostnames (off);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

# Sources of syslog messages (both local and remote messages on the server)
source s_local {
	system();
	internal();
};
source s_tcp { tcp (ip ("127.0.0.1") port (514) max-connections (1) ); };
source s_udp { udp (ip ("0.0.0.0") port (514)); };

# By default messages are logged to tty12...
#destination d_console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination d_console_all { file("/dev/console"); };
#destination d_console_all { file("/dev/null"); };
destination d_console_all { program("/bin/cat >/dev/null"); };

# Destinations
destination d_usertty { usertty("*"); };
destination d_everything {
	file("/var/log/syslog-$HOST/$YEAR-$MONTH/$FACILITY.$PRIORITY.log"
		template("$FULLDATE $MSGHDR$MSG\n")
		template_escape(no)
	);
};

# Filters
filter f_emergency { level(emerg); };
filter f_fetchmail_warnings {
	not(match("fetchmail" value("PROGRAM"))
	and match("Warning: the connection is insecure, continuing anyways." value("MESSAGE")));
};

log {
	source(s_local);
	filter(f_emergency);
	destination(d_usertty);
};
log {
	source(s_local);
	filter(f_fetchmail_warnings);
	destination(d_everything);
};
log {
	source(s_local);
	filter(f_fetchmail_warnings);
	destination(d_console_all);
};

log {
	source(s_tcp);
	destination(d_everything);
};
log {
	source(s_tcp);
	destination(d_console_all);
};

log {
	source(s_udp);
	destination(d_everything);
};
log {
	source(s_udp);
	destination(d_console_all);
};

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

$ systemctl stop rsyslog.service
$ systemctl start syslog-ng.service
$ systemctl disable rsyslog.service
$ systemctl enable syslog-ng.service
$ yum -y remove rsyslog

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

$ yum -y install syslog-ng

$ nano -w /etc/syslog-ng/syslog-ng.conf

@version:3.5

@include "scl.conf"

#----------------------------------------------------------------------------

# /etc/syslog-ng/syslog-ng.conf: configuration file

# $Revision: 0.3-r5 (CentOS Edition by Wakko Warner) $

# $Comment: Any comments please send to wakko@acmelabs.spb.ru $

#----------------------------------------------------------------------------

# Note: it also sources additional configuration files (*.conf)

# located in /etc/syslog-ng/conf.d/

# Global Options

options {

# Enable or disable the chained hostname format

chain_hostnames (off);

# The number of lines buffered before written to file

flush_lines (0);

log_fifo_size (1000);

# The default action of syslog-ng is to log a STATS line

# to the file every 10 minutes. That's pretty ugly after a while.

# Change it to every 12 hours so you get a nice daily update of

# how many messages syslog-ng missed (0).

stats_freq (43200);

time_reopen (10);

# The default action of syslog-ng is to log a MARK line

# to the file every 20 minutes. That's seems high for most

# people so turn it down to once an hour. Set it to zero

# if you don't want the functionality at all.

mark_freq(3600);

# Enable or disable hostname rewriting

keep_hostname (yes);

# Enable or disable directory creation for destination files

create_dirs (yes);

# userid/groupid/permission value for files

owner ("root");

group ("adm");

perm (0640);

# userid/groupid/permission value for directories

dir_owner ("root");

dir_group ("adm");

dir_perm (0750);

# Enable or disable DNS usage

use_dns (no);

# Add Fully Qualified Domain Name instead of short hostname

use_fqdn (no);

long_hostnames (off);

};

source s_sys {

system();

internal();

# udp(ip(0.0.0.0) port(514));

};

# Sources of syslog messages (both local and remote messages on the server)

source s_local {

system();

internal();

};

source s_tcp { tcp (ip ("127.0.0.1") port (514) max-connections (1) ); };

source s_udp { udp (ip ("0.0.0.0") port (514)); };

# By default messages are logged to tty12...

#destination d_console_all { file("/dev/tty12"); };

# ...if you intend to use /dev/console for programs like xconsole

# you can comment out the destination line above that references /dev/tty12

# and uncomment the line below.

#destination d_console_all { file("/dev/console"); };

#destination d_console_all { file("/dev/null"); };

destination d_console_all { program("/bin/cat >/dev/null"); };

# Destinations

destination d_usertty { usertty("*"); };

destination d_everything {

file("/var/log/syslog-$HOST/$YEAR-$MONTH/$FACILITY.$PRIORITY.log"

template("$FULLDATE $MSGHDR$MSG\n")

template_escape(no)

);

};

# Filters

filter f_emergency { level(emerg); };

filter f_fetchmail_warnings {

not(match("fetchmail" value("PROGRAM"))

and match("Warning: the connection is insecure, continuing anyways." value("MESSAGE")));

};

log {

source(s_local);

filter(f_emergency);

destination(d_usertty);

};

log {

source(s_local);

filter(f_fetchmail_warnings);

destination(d_everything);

};

log {

source(s_local);

filter(f_fetchmail_warnings);

destination(d_console_all);

};

log {

source(s_tcp);

destination(d_everything);

};

log {

source(s_tcp);

destination(d_console_all);

};

log {

source(s_udp);

destination(d_everything);

};

log {

source(s_udp);

destination(d_console_all);

};

# Source additional configuration files (.conf extension only)

@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:

$ systemctl stop rsyslog.service

$ systemctl start syslog-ng.service

$ systemctl disable rsyslog.service

$ systemctl enable syslog-ng.service

$ yum -y remove rsyslog

Update from 2015-12-18: Don’t forget to read this post.

Configuring syslog-ng in CentOS/RHEL 7

Comments

Leave a Reply Cancel reply

Configuring syslog-ng in CentOS/RHEL 7

Share this:

Comments

Leave a Reply Cancel reply