I am trying to educate myself on syslog-ng product configuration, and hope someone will be kind enough to verify my understanding of the syslog-ng configuration file (between line 100-120) below.
1) Line 101-103, the purpose is to read unfiltered messages from s_local, then write it locally to d_message and forward it to the remote log server at the same time.
2) Line 108-111, filters the message in (1) and write message associated with user facility to d_user.
3) Line 116-119, filters the message in (1) and write message associate with auth facility to d_auth.
If disk space is not a concern, was it a common industry practice to save keep raw unfiltered system-specific log messages of a platform? Is there any known benefits for adopting such practice?
Many Thanks in Advance.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 @version: 6.0
2 #Default configuration file for syslog-ng.
3 #
4 # For a description of syslog-ng configuration file directives, please read
5 # the syslog-ng Administrator's guide at:
6 #
7 # www.balabit.com/.../documentation
8 #
9 @include "scl.conf"
10
11 ##Global Setting
12 options {
13 keep-hostname(yes);
14 use-uniqid(yes);
15 log-msg-size(65535);
16 time-reopen(10);
17 normalize-hostnames(yes);
18 use-dns(no);
19 ts-format(iso);
20 };
21
22 ################################################################################
23 ##Section: Source elements
24 ################################################################################
25 ##Collecting the system-specific log messages of a platform.
26 source s_local {
27 system();
28 };
29
30 ##All messages generated internally by syslog-ng use this special source.
31 source s_internal {
32 internal();
33 };
34
35 ##follow-freq(1): Defines how often syslog-ng should check the file for new messages.
36 source s_applog {
37 file("/var/log/appsrv/*.log" follow-freq(1));
38 };
39
40
41 ################################################################################
42 ##Section: Destination elements
43 ################################################################################
44 ##Destination for all messages generated internally by syslog-ng.
45 destination d_internal { file("/var/log/syslogng-${YEAR}_${MONTH}_${DAY}.log"); };
46
47 ##Destination for system-specific log messages of a platform.
48 destination d_kern { file("/var/log/syslog/kern.log"); };
49 destination d_user { file("/var/log/syslog/user.log"); };
50 destination d_daemon { file("/var/log/syslog/daemon.log"); };
51 destination d_auth { file("/var/log/syslog/auth.log"); };
52 destination d_message { file("/var/log/${YEAR}_${MONTH}_${DAY}.messages"); };
53
54
55 ##Destination for forwarding message to remote server
56 destination d_logserver {
57 syslog(
58 "192.168.1.2"
59 transport(tls)
60 port(9514)
61 tls(
62 ca-dir("/opt/syslog-ng/etc/ca.d")
63 key-file("/opt/syslog-ng/etc/key.d/appserver_key_2019.pem")
64 cert-file("/opt/syslog-ng/etc/cert.d/appserver_cert_2019.pem")
65 cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256")
66 )
67 );
68 };
69
70 ##Filter Statement: Facility
71 filter f_syslog { facility(syslog); };
72 filter f_kern { facility(kern); };
73 filter f_user { facility(user); };
74 filter f_daemon { facility(daemon); };
75 filter f_auth { facility(auth); };
76
77 ##Filter Statement: Severity
78 filter f_err { level(err..emerg); };
79 filter f_debug { level(debug..emerg); };
80 filter f_info { level(info..emerg); };
81 filter f_warn { level(warn..emerg); };
82
83
84 ################################################################################
85 ##Section: Log elements
86 ################################################################################
87 ##All messages generated internally by syslog-ng use this special source.
88 ##s_internal: internal()
89 ##d_internal: file("/var/log/syslogng-${YEAR}_${MONTH}_${DAY}.log")
90 log { source(s_internal); destination(d_internal); };
91
92 ##s_applog: file("/var/log/appserver/*.log" follow-freq(1))
93 ##d_logserver: Remote syslog designated in d_logserver
94 log { source(s_applog); destination(d_logserver); };
95
96 ##System-specific log messages of a platform.
97 ##s_local: system()
98 ##d_message: file("/var/log/${YEAR}_${MONTH}_${DAY}.messages")
99 ##d_logserver: Remote syslog designated in d_logserver
100 log {
101 source(s_local);
102 destination(d_message);
103 destination(d_logserver);
104
105 ##f_user: facility(user)
106 ##f_debug: level(debug..emerg)
107 ##d_user: file("/var/log/syslog/user.log")
108 log {
109 filter(f_user); filter(f_debug);
110 destination(d_user);
111 };
112
113 ##f_auth: facility(auth)
114 ##f_debug: level(debug..emerg)
115 ##d_auth: file("/var/log/syslog/auth.log")
116 log {
117 filter(f_auth); filter(f_debug);
118 destination(d_auth);
119 };
120 };
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~