Syslog-ng: how to log severity/facility

slessles10syslog-ng

Here is the system:

SUSE Linux Enterprise Server 10
syslog-ng with predefined syslog-ng.conf
messages in /var/log/messages look like:

Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

What I need:

to log event severity/facility. For instance, add <PRI> at the beginning of the message:

<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

My question is:

How to change syslog-ng.conf to enable this kind of logging?

Thanks.

Best Answer

It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)

Related Solutions

Syslog-ng log format

Normally, the "local@localhost" string is a result of either one of these config options:

chain_hostnames(yes);
long_hostnames(yes);

I can't remember exactly if this one more option is involved:

keep_hostname(yes);

Please update your question with full config file.

EDIT: seems like long_hostnames(on) is at fault. Surely, some of the syslog-ng options are not only misnamed, but also very poorly documented. I've tried to re-engineer this mess and I've put the results here at FQDNs during migration from syslogd to syslog-ng

Remote logging for multiple Apache virtual hosts using syslog-ng

I think this should answer your question:

http://bazsi.blogs.balabit.com/2008/10/syslog-ng-message-parsing/

The summary: syslog-ng can extract fields from your log messages, and then you can use these fields in template substitutions. As long as your are logging the virtual host name (%v) in your Apache logs, you should have all the information you need.

Best Answer

Related Solutions

Syslog-ng log format

Remote logging for multiple Apache virtual hosts using syslog-ng

Related Topic