Syslog-ng: how to log severity/facility?

Question

Here is the system:

• SUSE Linux Enterprise Server 10
• syslog-ng with predefined syslog-ng.conf
• messages in /var/log/messages look like:

Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

What I need:

• to log event severity/facility. For instance, add <PRI> at the beginning of the message:

<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

My question is:

How to change syslog-ng.conf to enable this kind of logging?

Thanks.

Answer 1

It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)

Answer 2

Based on some quick reading I think you want to use the syslog() driver, which si described in section 8.1.6 of the Syslog-ng Administrator's guide. http://www.balabit.com/support/documentation/?product=syslog-ng

I hope this helps, if I find anything more, I'll let you know.

I think the syslog() driver is meant to be used with the source declaration. so where I have source external { udp(); };

You might use source external { syslog(transport("udp")); };

I don't have a suitable testing environment to try this out on, but I think this is what you want to do, if I understand your question correctly.

---

I went back and looked and it turns out there's a macro you can use in your destination called TAG e.g.

destination d_all {
    file("/log/$FACILITY.log" group("users")
    template_escape(no)
    template("$TAG $PRIORITY $S_DATE $HOST $MSG\n"));
};

These macros are defined around page 218 of the admin guide.

Answer 3

If you have a destination configured as so:

destination syslog-consumer { unix-stream("/var/run/syslog-output"); };

syslog messages headed to syslog-consumer get sent to that socket in the format you want.

You'll just need to setup something to listen to that socket and write to a file.