-1

I have some Samba-Domain-Controllers and one central Syslog-Server. All of them running the latest syslog-ng and SUSE Leap15. Every Log from Samba, Winbind and Bind/Named should go to the central Syslog-Server in a separate File. Until now, i realize that with one different port for every Logfile. 

log.samba - Port 2000
log.winbind - Port 2001
log.named - Port 2002

With this way, i can separate the Logs for each Application and Server in an aggregateted Logfile on the central Server.

But, is there any possibilty to separate Logs from different Applications without use different Ports for each Application and Server?

Greetings Michael

Example on one DC:

source s_samba {file("/var/log/samba/log.samba" follow-freq(1));};
source s_winbind {file("/var/log/samba/log.wb-COLD-BEER" follow-freq(1));};

destination d_syslog-srv_samba {syslog("10.1.11.35" port(2000) transport ("tcp"));};
destination d_syslog-srv_winbind {syslog("10.1.11.35" port(2001) transport ("tcp"));};

log {source(s_samba);destination(d_syslog-srv_samba);};
log {source(s_winbind);destination(d_syslog-srv_winbind);};

On the central Syslog-Server:

source s_dc_all_network {syslog(port(2000) transport("tcp"));};
source s_winbind_all_network {syslog(port(2001) transport("tcp"));};

destination d_dc_all_local{file("var/log/syslog-srv/DC_all/log.samba_all"owner("root")group("root")perm(0777));};    
destination d_winbind_all_local{file("var/log/syslog-srv/DC_all/log.wb-COLD-BEER_all"owner("root")group("root")perm(0777));};

log {source(s_dc_all_network);destination(d_dc_all_local);};
log {source(s_winbind_all_network);destination(d_winbind_all_local);};
MHABK
  • 9
  • 5

1 Answers1

1

check your log messages, the names of the different applications should appear in the PROGRAM field of the log messages, so you can use a filter in your log path to separate the messages.

Robert Fekete
  • 552
  • 1
  • 3
  • 6
  • thanks for your answer. Do you mean on the client or on the server? – MHABK Nov 26 '18 at 10:10
  • Becaue s dont see there any program flag. And i think i read in the Doc that program flags dont transfer to the server – MHABK Nov 26 '18 at 10:22
  • A proper syslog message should look something like this: <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8 Which translates to : When syslog-ng parses such a message, the programname becomes available as the $PROGRAM macro, and you can also use it in the program() filter. Both on the client and the server. – Robert Fekete Nov 27 '18 at 08:15