Talk:Syslog-ng
Is match() example right?
The example:
filter f_failed { match("regex" value("failed")); };
is in my opinion bad.
List of supported values in value() should be: "HOST", "HOST_FROM", "MESSAGE", "PROGRAM", "PID", "MSGID" and "SOURCE".
More info: https://lists.balabit.hu/pipermail/syslog-ng/2009-April/012789.html
Better example could be:
filter f_grsecurity { match("^grsec" value("MESSAGE")); };
This is real/working example from my syslog-ng config.
Tojaj 16:39, 8 February 2011 (EST)
I'm Confirming what Tojaj said. It's not only bad, it doesn't work. I looked into this documentation to find a description and a list of supported values.
This is an extract of the documentation :
match()
Description: Match a regular expression to the headers and the message itself (that is, the values returned by the MSGHDR and MSG macros). Note that in syslog-ng version 2.1 and earlier, the match() filter was applied only to the text of the message, excluding the headers. This functionality has been moved to the message() filter. To limit the scope of the match to a specific part of the message (identified with a macro), use the match(regexp value("MACRO")) syntax. Do not include the $ sign in the parameter of the value() option. The value() parameter accepts both built-in macros and user-defined ones created with a parser or using a pattern database. For details on macros and parsers, see Section 11.1.2, Templates and macros (p. 212), Section 12.2, Parsing messages (p. 234), and Section 13.2.1, Using parser results in filters and templates (p. 244).
So the complete list of supported values is :
"AMPM", "BSDTAG", "DATE, C_DATE, R_DATE, S_DATE", "DAY, C_DAY, R_DAY, S_DAY", "FACILITY", "FACILITY_NUM", "FULLDATE, C_FULLDATE, R_FULLDATE, S_FULLDATE", "FULLHOST", "FULLHOST_FROM", "HOUR, C_HOUR, R_HOUR, S_HOUR", "HOUR12, C_HOUR12, R_HOUR12, S_HOUR12", "HOST", "HOST_FROM", "ISODATE, C_ISODATE, R_ISODATE, S_ISODATE", "LEVEL_NUM", "LOGHOST", "MIN, C_MIN, R_MIN, S_MIN", "MONTH, C_MONTH, R_MONTH, S_MONTH", "MONTH_ABBREV, C_MONTH_ABBREV, R_MONTH_ABBREV, S_MONTH_ABBREV", "MONTH_NAME, C_MONTH_NAME, R_MONTH_NAME, S_MONTH_NAME", "MONTH_WEEK, C_MONTH_WEEK, R_MONTH_WEEK, S_MONTH_WEEK", "MSEC, C_MSEC, R_MSEC, S_MSEC", "MSG or MESSAGE", "MSGHDR", "MSGID", "MSGONLY", "PID", "PRI", "PRIORITY or LEVEL", "PROGRAM", "SDATA, .SDATA.SDID.SDNAME", "SEC, C_SEC, R_SEC, S_SEC", "SOURCEIP", "SEQNUM", "STAMP, R_STAMP, S_STAMP", "SYSUPTIME", "TAG", "TAGS", "TZ, C_TZ, R_TZ, S_TZ", "TZOFFSET, C_TZOFFSET, R_TZOFFSET, S_TZOFFSET", "UNIXTIME, C_UNIXTIME, R_UNIXTIME, S_UNIXTIME", "USEC, C_USEC, R_USEC, S_USEC", "YEAR, C_YEAR, R_YEAR, S_YEAR", "WEEK, C_WEEK, R_WEEK, S_WEEK", "WEEK_ABBREV, C_WEEK_ABBREV, R_WEEK_ABBREV, S_WEEK_ABBREV", "WEEK_DAY, C_WEEK_DAY, R_WEEK_DAY, S_WEEK_DAY", "WEEKDAY, C_WEEKDAY, R_WEEKDAY, S_WEEKDAY", "WEEK_DAY_NAME, C_WEEK_DAY_NAME, R_WEEK_DAY_NAME, S_WEEK_DAY_NAME".
Nrm (talk) 07:57, 20 August 2013 (UTC)
Reversal typo in Shorewall examples
The example:
filter f_shorewall { not match("regex" value("Shorewall")); }; # Filter everything except regex keyword Shorewall filter f_noshorewall { match("regex" value("Shorewall")); }; # Filter regex keyword Shorewall
I believe the identifiers are switched. I have switched them to what I think they are intended to be. nuclearsandwich 14:58, 26 February 2011 (PST)
Directly to SQL
I notice that we still aren't running syslog-ng with --enable-sql (should be a trivial change at some point) but thought I would populate some basic options that will work well in the wiki when available.
This config is only valid for 3.2 and up (Current as of this writing in Arch is 3.3.4.5).
Taken directly from http://pzolee.blogs.balabit.com/2010/10/syslog-ng-example-configurations/
@version: 3.2 source s_file{file("/var/log/inputfile*.log" follow-freq(1));}; destination d_sql { sql( type("mysql") host("10.100.20.46") username("test_user") password("password") database("test_db") table("testtable-$YEAR-$MONTH-$DAY") columns("insert_time int", "date_time varchar(32)", "facility int", "priority int", "host varchar(255)", "program varchar(64)", "pid int", "message varchar(4000)") values("${R_UNIXTIME}", "${S_YEAR}-${S_MONTH}-${S_DAY} ${S_HOUR}:${S_MIN}:${S_SEC}", "$FACILITY_NUM", "$LEVEL_NUM", "$HOST", "$PROGRAM", "${PID:-0}", "$MSGONLY") indexes("insert_time", "date_time", "facility", "host", "program") ); }; log{ source (s_file); destination (d_sql); };
- Provided by HRabbit (2012-04-26)
journald.conf.d
I wonder if the examples that suggest editing journald.conf should instead suggest adding override files under journald.conf.d. This has the advantage of not needing a merge when journald is updated. JimRees (talk) 15:53, 18 January 2015 (UTC)
syslog-ng example doesn't work
Setting the source to /dev/log doesn't work:
Using /dev/log Unix socket with systemd is not possible. Changing to systemd-syslog source, which supports socket activation.; Failed to acquire /run/systemd/journal/syslog socket, disabling systemd-syslog source;
I will try to figure out how to fix this and update the wiki. JimRees (talk) 16:06, 18 January 2015 (UTC)
Reference to xconsole is missing?
In the section about syslog-ng Destinations is has an example to a named pipe, and then refers us to a later reference. This reference does not seem to exist?
Also, maybe put an example of how a syslog-ng Destination can be journald? Clvrmnky (talk) 18:30, 13 March 2015 (UTC)
systemd-journal-remote
I'd propose to mention the existence of systemd-journal-remote and encourage it's use over syslog-ng.
—This unsigned comment is by Mausy5043 (talk) 16:51, 27 January 2022 (UTC). Please sign your posts with ~~~~!