In your syslog-ng.conf file, you'll need to edit some stanzas, filters and destinations.
Set local5 (bash output) destination, if you want it to go to a file.
# bash destination destination d_local5 { file("/var/log/local5"); }; # bash filters filter f_local5 { facility(local5); };
and in messages filter, add local5
filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news,local5); };and finally, set the log destination:
# local5 log { source(s_all); filter(f_local5); destination(d_bash); };
If you have a remote syslog daemon or logger such as loggly or splunk set up, drop their destination definitions in the log stanza for "local5". e.g.:
# loggy # destination d_loggly { tcp("logs.loggly.com" port(XXXXXX)); }; # local5 log { source(s_all); filter(f_local5); destination(d_local5); destination(d_loggly); };
On loggly (if you've allowed the destination in your remote device list) or splunk, you should see something akin to:
2011 May 13 16:09:19.000 s_all@host1 bash-ub610: history: [pid:5379 uid:0] exit 2011 May 13 16:09:50.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] ls -la 2011 May 13 16:09:52.000 s_all@host1 bash-ub610: history: [pid:5584 uid:0] cd /opt/In your old /etc/syslog.conf or /etc/rsyslog.d/50-default.conf add the following:
auth,authpriv.*;local5.* @syslogserver auth,authpriv.*;local5.* @logs.loggly.com:yourportno
No comments:
Post a Comment