Syslog-ng: how to log severity/facility?

Here is the system:

• SUSE Linux Enterprise Server 10
• syslog-ng with predefined syslog-ng.conf
• messages in /var/log/messages look like:

Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

What I need:

• to log event severity/facility. For instance, add <PRI> at the beginning of the message:

<15> Feb 8 09:29:53 sles1 sshd[17529]: Accepted keyboard-interactive/pam for root from 10.30.34.64 port 4855 ssh2

My question is:

How to change syslog-ng.conf to enable this kind of logging?

Thanks.

Solution 1:

It sounds like you want to rewrite your logfiles in a specific format. The link has the details on how to tell syslog-ng to do that :)

Solution 2:

Based on some quick reading I think you want to use the syslog() driver, which si described in section 8.1.6 of the Syslog-ng Administrator's guide. http://www.balabit.com/support/documentation/?product=syslog-ng

I hope this helps, if I find anything more, I'll let you know.

I think the syslog() driver is meant to be used with the source declaration. so where I have
source external { udp(); };

You might use
source external { syslog(transport("udp")); };

I don't have a suitable testing environment to try this out on, but I think this is what you want to do, if I understand your question correctly.

I went back and looked and it turns out there's a macro you can use in your destination called TAG.

e.g.
destination d_all { file("/log/$FACILITY.log" group("users") template_escape(no) template("$TAG $PRIORITY $S_DATE $HOST $MSG\n")); };
These macros are defined around page 218 of the admin guide.