Suggestions are requested to handle priority of syslog message efficiently using syslog-ng.

My name is Krishna. Below is my requirement.

There are some applications (approximately 20) running in the system that generate event logs. My syslog-ng based syslog client should monitor all the events generated by all applications and forward them to syslog server as per configuration mentioned in /etc/syslog-ng/syslog-ng.conf. I am using Kiwi Syslog Server from SolarWinds as a server. I referred syslog-ng documentation and found having "default-facity()", "default-priority()" in source definition is best suitable for my requirement. I create different files in the system. I save event logs from different applications to different files. I configure those files as sources, so that the event logs coming into the files get monitored by syslog-ng daemon and get forwarded to syslog server based on destination rule mentioned in /etc/syslog-ng/syslog-ng.conf.

Applications that are running in the system can log the events of any severity. As per the standard, there are 8 different severities (Emergency - 0, Alert - 1, Critical - 2, Error - 3, Warning - 4, Notice - 5, Info - 6, Debug - 7). For one application, to handle the logs of different severities, 8 different files can be created and the same can be mentioned in 8 'source' rules. In this way, event log with different severity can be saved into different file and the same can be monitored and forwarded to syslog server by syslog-ng.

So, for my requirement to have 20 applications running in the system and to support syslog functionality to all the applications, I need to create 160 (20 * 8) different files to handle event logs of different severities from different applications. I feel this is not efficient way.

I request your suggestions to handle priority (can be calculated based on facility and severity of log message) information efficiently for my requirement.

Thanks so much in advanced.

With best regards,

Krishna

  • Hello Krishna,

    Can you go in details what is purpose of splitting the application logs by severity?
    Do you have any processes relies on that in Kiwi Syslog server?
    The severity is part of a standard syslog message, so syslog server applications should be able to extract and use it for later message processing, just like syslog-ng can do.

    Regards,

    Endre