syslog-ng-2.0.10.tar.gz

#----------------------------------------------------------------------

# Program: syslog-ng.conf

# Notes: Embedded most of the manual notes within the configuration

# file. The original manual can be found at:

#

# http://www.balabit.com/products/syslog_ng/reference/book1.html

# http://www.campin.net/syslog-ng/faq.html

#

# are given at the different web sites, and made to emulate

# the logs of a Mandrake Linux system as much as possible.

# Of course, Unix is Unix, is Linux. It should be generic

# enough for any Unix system.

#----------------------------------------------------------------------

# 16-Mar-03 - REP - Added some extra definitions to the file.

# 15-Mar-03 - REP - Added back the comments on filtering.

# 27-Feb-03 - REP - Further modified for local environment.

# 27-Feb-03 - REP - Updated for new configuration and version 1.6.0

# 12-Dec-02 - REP - Continued updates for writing to databases.

# ------------------------- ------- ------------------------------------

# bad_hostname reg exp A regexp which matches hostnames

# which should not be taken as such.

# chain_hostnames y/n Enable or disable the chained

# hostname format.

# create_dirs y/n Enable or disable directory creation

# for destination files.

# dir_group groupid

# dir_owner userid

# dir_perm perm

# gc_busy_threshold num Sets the threshold value for the

# garbage collector, when syslog-ng is

# busy. GC phase starts when the number

# of allocated objects reach this

# number. Default: 3000.

# gc_idle_threshold num Sets the threshold value for the

# garbage collector, when syslog-ng is

# idle. GC phase starts when the number

# of allocated objects reach this

# number. Default: 100.

# Otherwise the last logger will be

# considered the log entry owner and

# the log entry will appear to have

# come from that host.

# log_fifo_size num The number of lines fitting to the

# output queue

# log_msg_size num Maximum length of message in bytes.

# long_hostnames on/off This options appears to only really

# have an affect on the local system.

# MARK lines. NOTE: not implemented

# yet.

# owner userid

# perm perm

# stats num The number of seconds between two

# STATS.

# sync num The number of lines buffered before

# written to file

# time_reap num The time to wait before an idle

# destination file is closed.

# connection is reestablished

# syslog-ng network endpoint with

# firewall rules, and make sure that

# all hosts, which may get to

# syslog-ng is resolvable.

# use_fqdn y/n Add Fully Qualified Domain Name

# instead of short hostname.

# use_time_recvd y/n Use the time a message is

# received instead of the one

# specified in the message.

#----------------------------------------------------------------------

# the log_msg_size and log_fifo_size to increase the

# amount of buffering that we do. While for most

# systems this may not have a noticeable affect, it

# will for systems that are at the end of a lot of

# logging systems.

# 20-Dec-02 - REP - Changed the stat() time from the default of 10

# minutes to once an hour.

#----------------------------------------------------------------------

options

{

log_msg_size(8192);

long_hostnames(on);

perm(0644);

stats(3600);

sync(0);

time_reopen (10);

use_dns(yes);

use_fqdn(yes);

};

# specified name, and listens for messages. It's

# used as the native message getting protocol on

# HP-UX.

# file - Usually the kernel presents its messages in a

# special file (/dev/kmsg on BSDs, /proc/kmsg on

# Linux), so to read such special files, you'll need

# the file() driver. Please note that you can't use

# this driver to follow a file like tail -f does.

# internal - All internally generated messages "come" from this

# special source. If you want warnings, errors and

# this source in one of your source statements.

# Newer versions of Solaris (2.5.1 and above), uses a

# new IPC in addition to STREAMS, called door to

# confirm delivery of a message. Syslog-ng supports

# this new IPC mechanism with the door() option.

#

# The sun-streams() driver has a single required

# argument, specifying the STREAMS device to open and

# a single option.

# tcp/udp - These drivers let you receive messages from the

# network, and as the name of the drivers show, you

# messages at the protocol level.

#

# TCP provides connection-oriented service, which

# basically means a flow-controlled message pipeline.

# In this pipeline, each message is acknowledged, and

# retransmission is done for lost packets. Generally

# it's safer to use TCP, because lost connections can

# be detected, and no messages get lost, but

# traditionally the syslog protocol uses UDP.

#

#

# Options:

#

# Name Type Description Default

# -------------- ------ -------------------------------- --------

# ip or local ip string The IP address to bind to. Note 0.0.0.0

# that this is not the address

# where messages are accepted

# from.

# port or local port number The port number to bind 514

# to.

# -------------- ------ -------------------------------- --------

#

# unix-stream - unix-dgram - These two drivers behave similarly:

# they open the given AF_UNIX socket, and start

# listening on them for messages. unix-stream() is

# primarily used on Linux, and uses SOCK_STREAM

# semantics (connection oriented, no messages are

# lost), unix-dgram() is used on BSDs, and uses

# local messages, if the system is overloaded.

# max-connections() parameter. The default value of

# this parameter is quite strict, you might have to

# increase it on a busy system.

#

# Both unix-stream and unix-dgram has a single

# required positional argument, specifying the

# filename of the socket to create, and several

# optional parameters.

#

# Options:

# syslog-ng is restarted, can be

# used only with unix-stream().

# max-connections numb Limits the number of 10

# simultaneously opened

# connections. Can be used only

# with unix-stream().

# owner string Set the uid of the socket. root

# perm num Set the permission mask. For 0666

# octal numbers prefix the number

# with '0', e.g. use 0755 for

# should be removed.

#

# It seems that there is some performance questions related

# to what type of source stream should be used for Linux

# boxes. The documentation states the /dev/log should use

# unix-stream, but from the mailing list it has been

# strongly suggested that unix-dgram be used.

#

# WARNING: TCP wrappers has been enabled for this system, and unless

# and possibly outgoing packets are allowed by the firewall

# rules.

#----------------------------------------------------------------------

# There has been a lot of debate on whether everything should be put

# to a single source, or breakdown all the sources into individual

# streams. The greatest flexibility would be in many, but the most

# simple is the single. Since we wrote this file, we have chosen the

# route of maximum flexibility.

#

# For those of you that like simplicity, this could have also been

#

# udp();

# unix-stream("/dev/log");

# };

#

# You would also have to change all the log statements to only

# reference the now single source stream.

#----------------------------------------------------------------------

# 16-Mar-03 - REP - The default number of allowed TCP connects is set

# very low for a logserver. This value should only

# be set greater than the default for servers that

{ internal(); };

source s_kernel

{ file("/proc/kmsg" log_prefix("kernel: ")); };

source s_tcp

{ tcp(port(4800) keep-alive(yes) max_connections(100)); };

#----------------------------------------------------------------------

# Destinations

# specifying the filename of the pipe to open, and