Need help to confirm understanding of syslog-ng nested log elements.

I am trying to educate myself on syslog-ng product configuration, and hope someone will be kind enough to verify my understanding of the syslog-ng configuration file (between line 100-120) below.

1) Line 101-103, the purpose is to read unfiltered messages from s_local, then write it locally to d_message and forward it to the remote log server at the same time.

2) Line 108-111, filters the message in (1) and write message associated with user facility to d_user.

3) Line 116-119, filters the message in (1) and write message associate with auth facility to d_auth.

If disk space is not a concern, was it a common industry practice to save keep raw unfiltered system-specific log messages of a platform? Is there any known benefits for adopting such practice?

Many Thanks in Advance.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     1    @version: 6.0
     2    #Default configuration file for syslog-ng.
     3    #
     4    # For a description of syslog-ng configuration file directives, please read
     5    # the syslog-ng Administrator's guide at:
     6    #
     7    # www.balabit.com/.../documentation
     8    #
     9    @include "scl.conf"
    10    
    11    ##Global Setting
    12    options {
    13      keep-hostname(yes);
    14      use-uniqid(yes);
    15      log-msg-size(65535);
    16      time-reopen(10);
    17      normalize-hostnames(yes);
    18      use-dns(no);
    19      ts-format(iso);
    20    };
    21    
    22    ################################################################################
    23    ##Section: Source elements
    24    ################################################################################
    25    ##Collecting the system-specific log messages of a platform.
    26    source s_local {
    27      system();
    28    };
    29    
    30    ##All messages generated internally by syslog-ng use this special source.
    31    source s_internal {
    32      internal();
    33    };
    34    
    35    ##follow-freq(1): Defines how often syslog-ng should check the file for new messages.
    36    source s_applog {
    37      file("/var/log/appsrv/*.log" follow-freq(1));
    38    };
    39    
    40    
    41    ################################################################################
    42    ##Section: Destination elements
    43    ################################################################################
    44    ##Destination for all messages generated internally by syslog-ng.
    45    destination d_internal { file("/var/log/syslogng-${YEAR}_${MONTH}_${DAY}.log"); };
    46    
    47    ##Destination for system-specific log messages of a platform.
    48    destination d_kern { file("/var/log/syslog/kern.log"); };
    49    destination d_user { file("/var/log/syslog/user.log"); };
    50    destination d_daemon { file("/var/log/syslog/daemon.log"); };
    51    destination d_auth { file("/var/log/syslog/auth.log"); };
    52    destination d_message { file("/var/log/${YEAR}_${MONTH}_${DAY}.messages"); };
    53    
    54    
    55    ##Destination for forwarding message to remote server
    56    destination d_logserver {
    57      syslog(
    58        "192.168.1.2"
    59        transport(tls)
    60        port(9514)
    61        tls(
    62          ca-dir("/opt/syslog-ng/etc/ca.d")
    63          key-file("/opt/syslog-ng/etc/key.d/appserver_key_2019.pem")
    64          cert-file("/opt/syslog-ng/etc/cert.d/appserver_cert_2019.pem")
    65          cipher-suite("ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256")
    66        )
    67      );
    68    };
    69    
    70    ##Filter Statement: Facility
    71    filter f_syslog { facility(syslog); };
    72    filter f_kern { facility(kern); };
    73    filter f_user { facility(user); };
    74    filter f_daemon { facility(daemon); };
    75    filter f_auth { facility(auth); };
    76    
    77    ##Filter Statement: Severity
    78    filter f_err { level(err..emerg); };
    79    filter f_debug { level(debug..emerg); };
    80    filter f_info { level(info..emerg); };
    81    filter f_warn { level(warn..emerg); };
    82    
    83    
    84    ################################################################################
    85    ##Section: Log elements
    86    ################################################################################
    87    ##All messages generated internally by syslog-ng use this special source.
    88    ##s_internal: internal()
    89    ##d_internal: file("/var/log/syslogng-${YEAR}_${MONTH}_${DAY}.log")
    90    log { source(s_internal); destination(d_internal); };
    91    
    92    ##s_applog: file("/var/log/appserver/*.log" follow-freq(1))
    93    ##d_logserver: Remote syslog designated in d_logserver
    94    log { source(s_applog); destination(d_logserver); };
    95    
    96    ##System-specific log messages of a platform.
    97    ##s_local: system()
    98    ##d_message: file("/var/log/${YEAR}_${MONTH}_${DAY}.messages")
    99    ##d_logserver: Remote syslog designated in d_logserver
   100    log {
   101      source(s_local);
   102      destination(d_message);
   103      destination(d_logserver);
   104    
   105      ##f_user: facility(user)
   106      ##f_debug: level(debug..emerg)
   107      ##d_user: file("/var/log/syslog/user.log")
   108      log {
   109        filter(f_user); filter(f_debug);
   110        destination(d_user);
   111      };
   112    
   113      ##f_auth: facility(auth)
   114      ##f_debug: level(debug..emerg)
   115      ##d_auth: file("/var/log/syslog/auth.log")
   116      log {
   117        filter(f_auth); filter(f_debug);
   118        destination(d_auth);
   119      };
   120    };

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Parents Reply Children
No Data