To fine-tune what log entries are needed for or how they are forwarded to different destinations, it is possible to use filters in syslog-ng configurations. Although their usage is optional, they are highly recommended because they represent the real flexibility of syslog-ng.
Filtering can be defined to use seven different criteria that are summarized in the following list.
- facility()
It filters the type of messages referring to the nature of the log entry. For example,
auth
,cron
,daemon
,kern
,mail
.- priority()
It filters the assigned priority level of the log message.
The possible priority levels are the following in the order of severity:
none
,debug
,info
,notice
,warning
,err
,crit
,alert
,emerg
.- level()
It is the same as priority.
- program()
It is the name of the software component that generated the log entry.
- host()
It is the machine that the log message arrived from.
- match()
It is a regular expression that is compared to the contents of the log message.
- filter()
It is an additional filter.
By combining these elements you can manually configure a fairly complex logging environment in a couple of lines of “code”, with basic knowledge on the syntax of syslog-ng rules. If you use MC, MC takes care of the correct syntax and allows you to focus on the actual rule creation process.
For more detailed information on syslog-ng, see Appendix B, Further readings.
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu