Here is the system:
- SUSE Linux Enterprise Server 10
- syslog-ng with predefined syslog-ng.conf
- messages in /var/log/messages look like:
Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2
What I need:
- to log event severity/facility. For instance, add <PRI> at the beginning of the message:
<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2
My question is:
How to change syslog-ng.conf to enable this kind of logging?
Thanks.
It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)
Based on some quick reading I think you want to use the syslog() driver, which si described in section 8.1.6 of the Syslog-ng Administrator's guide. http://www.balabit.com/support/documentation/?product=syslog-ng
I hope this helps, if I find anything more, I'll let you know.
I think the syslog() driver is meant to be used with the source declaration. so where I have
source external { udp(); };
You might use
source external { syslog(transport("udp")); };
I don't have a suitable testing environment to try this out on, but I think this is what you want to do, if I understand your question correctly.
I went back and looked and it turns out there's a macro you can use in your destination called TAG.
e.g.
destination d_all { file("/log/$FACILITY.log" group("users") template_escape(no) template("$TAG $PRIORITY $S_DATE $HOST $MSG\n")); };
These macros are defined around page 218 of the admin guide.
If you have a destination configured as so:
syslog messages headed to
syslog-consumer
get sent to that socket in the format you want.You'll just need to setup something to listen to that socket and write to a file.