To fine-tune what log entries are needed for or how they are forwarded to different destinations, it is possible to use filters in syslog-ng configurations. Although their usage is optional, they are highly recommended because they represent the real flexibility of syslog-ng.
Filtering can be defined to use seven different criteria that are summarized in the following list.
- facility()
It filters the type of messages referring to the nature of the log entry. For example,
auth,cron,daemon,kern,mail.- priority()
It filters the assigned priority level of the log message.
The possible priority levels are the following in the order of severity:
none,debug,info,notice,warning,err,crit,alert,emerg.- level()
It is the same as priority.
- program()
It is the name of the software component that generated the log entry.
- host()
It is the machine that the log message arrived from.
- match()
It is a regular expression that is compared to the contents of the log message.
- filter()
It is an additional filter.
By combining these elements you can manually configure a fairly complex logging environment in a couple of lines of “code”, with basic knowledge on the syntax of syslog-ng rules. If you use ZMC, ZMC takes care of the correct syntax and allows you to focus on the actual rule creation process.
For more detailed information on syslog-ng, see Appendix C, Further readings.
Published on May 30, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
