I want to add to a CentOS box (EL6) the same syslog-ng (3.2.5 from EPEL) configuration I have on other (Debian based) machines. It is intended to add events log in JSON to a single file for further processing:
# /etc/syslog-ng/syslog-ng.conf
# (...)
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
# (...)
the file I add to /etc/syslog-ng/conf.d :
destination d_json { file("/var/log/all_syslog_in_json.log" perm(0666) template("{\"@timestamp\": \"$ISODATE\", \"facility\": \"$FACILITY\", \"priority\": \"$PRIORITY\", \"level\": \"$LEVEL\", \"tag\": \"$TAG\", \"host\": \"$HOST\", \"program\": \"$PROGRAM\", \"message\": \"$MSG\"}\n")); };
log { source(s_sys); destination(d_json); };
When starting syslog-ng -Fevd I get the following output upon receiving a log event:
Incoming log entry; line='<86>Feb 6 08:49:00 sshd[7271]: pam_unix(sshd:session): session closed for user root'
Filter rule evaluation begins; filter_rule='f_kernel'
Filter node evaluation result; filter_result='not-match', filter_type='facility'
(... all the evaluations ...)
Filter node evaluation result; filter_result='not-match', filter_type='facility'
Filter rule evaluation result; filter_result='not-match', filter_rule='f_cron'
EOF occurred while reading; fd='9'
Syslog connection closed; fd='9', client='AF_UNIX(anonymous)', local='AF_UNIX(/dev/log)'
Closing log transport fd; fd='9'
This configuration works fine on other machines so I suppose that this is something specific to my distribution or version. I would like, however, to make sure before jumping forward (the update of syslog-ng would have to be very manual)
