7.2.2.1.1. Procedure – Set global options
The Global options main tab contains three further sub-tabs for configuring the necessary parameters:
General
Permissions
Name resolutions
Configure the parameters for I/O operation optimization.
File I/O is always expensive in terms of system time needed, so theoretically the number of (log) write operations should be minimized, keeping a number of incoming log entries in a memory buffer and batch-write them out to disk.
Note This buffer and thus the time between successive log write-outs shall not take too long because in case a hardware malfunction occurs and the machine has to be rebooted, the log messages that have not been written out yet are lost.
Time-related parameters are given in seconds, message size is in bytes, while message queue size is an item number.
Set system time usage.
Macro substitution is possible in syslog-ng, for example when creating filenames. If you use system time as a macro variable, the default is to use local system time on the syslog-ng server that processes the log entries. If, instead, you want to use time values received in the log messages themselves, check the
checkbox.Configure the required parameters under General tab.
The list of other configurable parameters in this tab includes the following.
- Message size
It defines the allowed maximum size for log messages.
- Message queue size
It defines the allowed number of messages waiting to be processed.
- Stats interval
It sets the syslog-ng's internal reporting interval. The syslog-ng application reports a number of parameters on its own operations and statistics.
- Mark interval
It sets the regularity of marking timestamps by the syslog daemon.
- Sync interval
It defines how often log messages are written out from memory.
The default '0' means there is no time delay, messages are written out continuously.
- File inactivity timeout
It defines how long after the non-usage time the log files are closed.
- Reopen interval
It sets how often a log file can be opened again.
- Bad hostname regexp
This is a regexp which contains hostnames that should not be handled.
- Fraction digits of second
The syslog-ng application can store fractions of a seconf in the timestamps according to the ISO08601 format. This parameter specifies the number of digits stored.
- Time zone
By setting this parameter timestamps will be converted to the timezone specified here. This timezone will be associated with the messages only if no timezone is specified within the message itself.
- Receive time zone
It specifies the time zone associated with the incoming messages, if it is not specified otherwise in the message or in the source driver.
- Send time zone
It specifies the time zone associated with the messages sent by syslog-ng, if it is not specified otherwise in the message or in the destination driver.
- On error
It controls what happens when type-casting fails and syslog-ng cannot convert some data to the specified type.
- Use received time in macros
It specifies whether syslog-ng shall accept the timestamp received from the application or client sending it. If it is disabled, the time of reception will be used instead.
- Check hostname validity
A check whether the hostname contains valid characters or not can be enabled or disabled.
- Use threads
This parameter enables multithreading in syslog-ng.
Assign owner and permission parameters on the Permissions tab to log files and directories created by syslog-ng.
By default, syslog-ng runs as root, but can be configured to run as a limited user as well. In this case you have to set the appropriate permissions, or use the default values.
Set name resolution for syslog-ng under the Name resolutions tab.
Machine identification in log entries is accomplished by using IP addresses. If you want to use hostnames that are easier to remember and recognize, you can instruct syslog-ng to perform name resolution. This name resolution only works for resolving the IP addresses of hosts sending log entries.
If there are IP addresses within the log messages themselves, they are not resolved this way. To perform name resolution for those addresses, a log analyzer utility is needed. Name resolution is a time-consuming process and to achieve the best results, use a DNS server that is “close” to the syslog-ng server in terms of response time.
On the other hand, log entries are typically coming from a limited number of machines (servers) and their IP addresses tend not to change. Therefore, it is reasonable for the syslog-ng server to cache their resolved names locally, thus easing the heavy reliance on a DNS server.
You can configure DNS caching as a global option, under the name resolution tab. The time values are in seconds, cache size is in bytes. File options can be changed in individual file destination configurations, but name resolution options cannot, they are always global.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu