Standard way how Debian is logging things always made me crazy. Why the hell this daemon is logging everything 5 times? Why do I have to see mail logs in syslog file? Anyway, I started to look for some better solution and at one point I came on article describing installation and configuration if the standard syslogd replacement: syslog-ng. I decided to give it a try.

As the whole process is almost trivial I’ll put here only couple info

First – syslog-ng configuration file

The file is under /etc/syslog-ng/syslog-ng.conf

#
# Configuration file for syslog-ng under Debian
#

# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases “error”, “panic”, and “warn” are deprecated
# the “none” priority found in the original syslogd configuration is
# only used in internal messages created by syslogd

######
# options

options {
chain_hostnames(0);
time_reopen(10);
time_reap(360);
sync(5);
log_fifo_size(2048);
create_dirs(yes);
owner(root);
group(root);
perm(0640);
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
use_dns(no);
#log_msg_size(2048);
stats_freq(0);
};

######
# sources

source int { internal(); };
source main { unix-stream(“/dev/log”); };
source kernel { file(“/proc/kmsg” log_prefix(“kernel: “)); };

######
# destinations

destination mail { file(“/var/log/mail.log”); };
destination kernel { file(“/var/log/kernel.log”); };
destination messages { file(“/var/log/messages”); };
destination sshd { file(“/var/log/ssh.log”); };

######
# filters
filter mail { facility(mail); };
filter sshd { program(“ssh”); };

######
# logs
# order matters if you use “flags(final);” to mark the end of processing in a
# “log” statement

# these rules provide the same behavior as the commented original syslogd rules

log { source(kernel); destination(kernel); };
log { source(main); filter(sshd); destination(sshd); flags(final); };
log { source(main); filter(mail); destination(mail); flags(final); };
log { source(main); source(int); destination(messages); };

Little explanation:

• Sources – defines sorce of incomming lg message. To be honest I didn’t dig deeper about meanings of every line there – it works.
• Destinations – the name says it all – places (not only files) where messages ends.
• Filters – again – rules allowing you to filter some messages out
• Logs – the actual place where something happens. You decide here, from which source, with which filter applied to which destination message goes. Simply, clean and effective.

Second – logrotate script

As you may noticed as an output we have 4 files. I personally preferr to save them for a little longer. So my logrotate file for syslog looks like:

/var/log/ssh.log {
rotate 52
weekly
missingok
notifempty
compress
}

/var/log/kernel.log {
rotate 52
weekly
missingok
notifempty
compress
}

/var/log/mail.log {
rotate 52
weekly
missingok
notifempty
compress
}

/var/log/messages {
rotate 52
weekly
missingok
notifempty
compress
postrotate
/etc/init.d/syslog-ng reload >/dev/null
endscript
}

Please notice the postrotate part at the end of the file. It forces syslog-ng to writo to the new files.

Third – logcheck

Why would we need to have nicely divided logs without automated monitoring – here comes the logcheck. Here the only worth to mention change is a list of monitored files:

comp# cat /etc/logcheck/logcheck.logfiles
# these files will be checked by logcheck
# This has been tuned towards a default syslog install
/var/log/mesages
/var/log/kernel.log
/var/log/ssh.log
/var/log/mail.log
/var/log/auth.log

Don’t forget to teach your antispam filter to accept logcheck’s reports!

Technorati Tags: Debian, syslog-ng, logrotate, logcheck