[c-nsp] Cisco boxes and Syslog-ng

[Olav Langeland]

> -----Original Message-----
> From: Andrew Fort [mailto:afort at choqolat.org] 
> Sent: 13. september 2005 04.32
> To: Joost greene
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco boxes and Syslog-ng
> 
> Joost greene wrote:
> > Hello,
> > 
> > I have different sets of devices, dslams, nas, core 
> routers, customer 
> > routers,...
> > 
> > i want to syslog them all, i want to make each device log to a file 
> > separately to ease it up for NOC, someone suggested 
> syslog-ng, frankly, i 
> > got quickly lost in its docs, the syntax isnt clear, how 
> can i just easily 
> > specify to let it log per source into different files ?
> > 
> > Regards,
> > Joost
> 
> this is a 1.6 config that works for me, this is just the parts for 
> listening to udp/514 (and all my options).  note the non-standard log 
> template format used (advantage of the format chosen is that $ISODATE 
> can be sorted eaisly), software that feeds on the logs will require 
> preprocessing to get it back into the BSD 'standard'.
> 
> it'll create a file per day, per device, and it looks kinda 
> like this. 
> play with the destination d_file_net file line to change this.

[snip]

Catching up on the mailinglist, so forgive me for replying to an old
post. A quick and dirty setup for what Joost is looking for can be
something like this:
--start--
source net { tcp(); udp(); };
...
destination device01 { file("/syslog/device01/device01" owner("logs")
group("logs") perm(0640)); };
...
filter f_device01 { host("10.10.10.1"); };
...
log { source(net); filter(f_device01); destination(device01); };
--end--

This will create a file called device01, for rotating you can use
logrotate. 

Regards
Olav Langeland