Debian syslog replacement
Standard way how Debian is logging things always made me crazy. Why the hell this daemon is logging everything 5 times? Why do I have to see mail logs in syslog file? Anyway, I started to look for some better solution and at one point I came on article describing installation and configuration if the standard syslogd replacement: syslog-ng. I decided to give it a try.
As the whole process is almost trivial I’ll put here only couple info
First - syslog-ng configuration file
The file is under /etc/syslog-ng/syslog-ng.conf
#
# Configuration file for syslog-ng under Debian
## the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases “error”, “panic”, and “warn” are deprecated
# the “none” priority found in the original syslogd configuration is
# only used in internal messages created by syslogd######
# optionsoptions {
chain_hostnames(0);
time_reopen(10);
time_reap(360);
sync(5);
log_fifo_size(2048);
create_dirs(yes);
owner(root);
group(root);
perm(0640);
#dir_owner(root);
#dir_group(root);
dir_perm(0755);
use_dns(no);
#log_msg_size(2048);
stats_freq(0);
};######
# sourcessource int { internal(); };
source main { unix-stream(”/dev/log”); };
source kernel { file(”/proc/kmsg” log_prefix(”kernel: “)); };######
# destinationsdestination mail { file(”/var/log/mail.log”); };
destination kernel { file(”/var/log/kernel.log”); };
destination messages { file(”/var/log/messages”); };
destination sshd { file(”/var/log/ssh.log”); };######
# filters
filter mail { facility(mail); };
filter sshd { program(”ssh”); };######
# logs
# order matters if you use “flags(final);” to mark the end of processing in a
# “log” statement# these rules provide the same behavior as the commented original syslogd rules
log { source(kernel); destination(kernel); };
log { source(main); filter(sshd); destination(sshd); flags(final); };
log { source(main); filter(mail); destination(mail); flags(final); };
log { source(main); source(int); destination(messages); };
Little explanation:
- Sources - defines sorce of incomming lg message. To be honest I didn’t dig deeper about meanings of every line there - it works.
- Destinations - the name says it all - places (not only files) where messages ends.
- Filters - again - rules allowing you to filter some messages out
- Logs - the actual place where something happens. You decide here, from which source, with which filter applied to which destination message goes. Simply, clean and effective.
Second - logrotate script
As you may noticed as an output we have 4 files. I personally preferr to save them for a little longer. So my logrotate file for syslog looks like:
/var/log/ssh.log {
rotate 52
weekly
missingok
notifempty
compress
}/var/log/kernel.log {
rotate 52
weekly
missingok
notifempty
compress
}/var/log/mail.log {
rotate 52
weekly
missingok
notifempty
compress
}/var/log/messages {
rotate 52
weekly
missingok
notifempty
compress
postrotate
/etc/init.d/syslog-ng reload >/dev/null
endscript
}
Please notice the postrotate part at the end of the file. It forces syslog-ng to writo to the new files.
Third - logcheck
Why would we need to have nicely divided logs without automated monitoring - here comes the logcheck. Here the only worth to mention change is a list of monitored files:
comp# cat /etc/logcheck/logcheck.logfiles
# these files will be checked by logcheck
# This has been tuned towards a default syslog install
/var/log/mesages
/var/log/kernel.log
/var/log/ssh.log
/var/log/mail.log
/var/log/auth.log
Don’t forget to teach your antispam filter to accept logcheck’s reports!
