The syslog-ng 3.0 Administrator Guide

Document version: Thirteenth
Release date: September 23, 2010
Latest version available at the BalaBit Documentation Page

3.5. Log paths

Log paths determine what happens with the incoming log messages. Messages coming from the sources listed in the log statement and matching all the filters are sent to the listed destinations.

To define a log path, add a log statement to the syslog-ng configuration file using the following syntax:

log {
    source(s1); source(s2); ... 
    optional_element(filter1|parser1|rewrite1); optional_element(filter2|parser2|rewrite2);... 
    destination(d1); destination(d2); ... 
    flags(flag1[, flag2...]);
    };
[Warning] Warning

Log statements are processed in the order they appear in the configuration file, thus the order of log paths may influence what happens to a message, especially when using filters and log flags.

[Example] Example 3.29. A simple log statement

The following log statement sends all messages arriving to the localhost to a remote server.

source s_localhost { tcp(ip(127.0.0.1) port(1999) ); };
destination d_tcp { tcp("10.1.2.3" port(1999); localport(999)); };
log { source(s_localhost); destination(d_tcp); };

All matching log statements are processed by default, and the messages are sent to every matching destination by default. So a single log message might be sent to the same destination several times, provided the destination is listed in several log statements, and it can be also sent to several different destinations.

This default behavior can be changed using the flags() parameter. Flags apply to individual log paths; they are not global options. The following flags available in syslog-ng:

[Warning] Warning

The final, fallback, and catchall flags apply only for the top-level log paths, they have no effect on embedded log paths.

[Example] Example 3.30. Using log path flags

Let's suppose that you have two hosts (myhost_A and myhost_B) that run two applications each (application_A and application_B), and you collect the log messages to a central syslog-ng server. On the server, you create two log paths:

  • one that processes only the messages sent by myhost_A; and

  • one that processes only the messages sent by application_A.

This means that messages sent by application_A running on myhost_A will be processed by both log paths, and the messages of application_B running on myhost_B will not be processed at all.

  • If you add the final flag to the first log path, then only this log path will process the messages of myhost_A, so the second log path will receive only the messages of application_A running on myhost_B.

  • If you create a third log path that includes the fallback flag, it will process the messages not processed by the first two log paths, in this case, the messages of application_B running on myhost_B.

  • Adding a fourth log path with the catchall flag would process every message received by the syslog-ng server.

    log { source(s_localhost); destination(d_file); flags(catchall); };

For details on the individual flags, see Section 8.3, “Log path flags”. The effect and use of the flow-control flag is detailed in Section 2.13, “Managing incoming and outgoing messages with flow-control”.

Prev  Up  Next
3.4.9. usertty()  Home | Contents  3.5.1. Using embedded log statements

© 2007-2010 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com