Re: Better Syslog server

From: Ian G Batten (I.G.Batten@ftel.co.uk)
Date: 03/20/03

  • Next message: Hal Flynn: "SecurityFocus Article Announcement" 
    Date: Thu, 20 Mar 2003 16:47:57 +0000
From: Ian G Batten <I.G.Batten@ftel.co.uk>
To: Matt Harris <mdh@unix.si.edu>

    On Mon, 17 Mar 2003, Matt Harris wrote:

    > I've been looking a bit on google/sourceforge/etc to try and find a more
    > configurable and extensible syslog server, to no avail. Does anyone
    > know of such a thing? If nothing is out there already, I'll probably
    > embark on a project to do it myself. I'm thinking of a config format
    > somewhat like this:
    >
    > # commands for syslog facility "XXX"
    > Facility XXX {
    > # Send message to stdin of a script which can send alerts, etc
    > Severity emerg ACTION /usr/local/libexec/parse-emerg.sh
    > # 192.168.47.9 - sample dhcp server
    > Host "192.168.47.9" {
    > # log stuff from the dhcp server to a seperate file
    > Severity warn FILE /var/adm/dhcp.log
    > }
    > # send other stuff to a default file
    > Severity DEFAULT FILE /var/adm/xxx.log
    > }
    >
    > Of course, this is just an example off the top of my head of some of the
    > functionality I'd like - for example, piping out to a smart script,
    > sending to different files based on host that sent the message, etc
    > etc. I look forward to your input. Thanks, Matt.

    The code is a shambolic mess, but you might like to pick up
    http://www.batten.eu.org/~igb/syslogd.tar.gz at some point. On Linux is
    runs fine on its own, on Solaris you need /usr/sbin/syslogd -t running
    to pick up the stuff on the syslog door. I don't feed that back around
    into my code, I just take it out to a file, as the log of the logging
    machine isn't wildly interesting. You put the code in /var/syslogd/bin.

    /var/syslogd/syslogd.conf is something like:

    ignore imapd|pop3d|lpd/INFO
    ignore eric.ftel.co.uk/sendmail/*

    You get a tree built below /var/syslogd/messages broken down by date,
    host and facility. Each line is time-stamped to the microsecond to make
    sorting easier. You need hosts, protocols and services in
    /var/syslogd/etc as it all runs chroot'd to /var/syslogd, setuid syslog
    setgid syslog.

    I've hacked it up over the years, but it's been running in production
    here taking the logs from about a hundred machines, including big
    production mail systems, for the eighteen months.

    ian

  • Next message: Hal Flynn: "SecurityFocus Article Announcement"