mewbies.com Last update on 06 Aug '10

site, man page, FAQ.

This is not just used to log users but a replacement to your syslog. From the syslog-ng information:

“The application can operate in server or agent mode, and - apart from UDP - supports the reliable TCP and the encrypted TLS protocols. That way syslog-ng can be used to create flexible and reliable logging infrastructure even in heterogeneous environments. syslog-ng reads and logs messages to the system console, log files, other machines and/or users as specified by its configuration file.”

Note that syslog-ng is a logger only. It does not report. It is up to you to use a method to parse/view your logs. Find a list of a variety of log analysis programs to help you do this under my tutorial section 'LOG ANALYZERS-PARSERS'. Syslog-ng messages can be piped into a MySQL database for a beautiful web based graphical interface using LogZilla (formerly php-syslog-ng, tutorial HERE), or using Splunk, (tutorial HERE).

View HERE, or HERE if you want to install in chroot jail, otherwise:

su
aptitude update
aptitude install syslog-ng
y

Output will be similar to:

[snip]
The following NEW packages will be installed:
libevtlog0{a} syslog-ng
The following packages will be REMOVED:
klogd{a} sysklogd{a}
[snip]
Removing klogd ...
Stopping kernel log daemon....
Removing sysklogd ...
Stopping system log daemon....
[snip]
Setting up libevtlog0 (0.2.8~1-2) ...
Setting up syslog-ng (2.0.9-4.1) ...
Starting system logging: syslog-ng.
[snip]

ps x
13395 ?        Ss     0:00 /usr/sbin/syslog-ng -p /var/run/syslog-ng.pid

Syslog-ng will be installed with the service to run after reboot (2-5), you need not manually set it. If you like to view its settings:

sysv-rc-conf

It will have this:

syslog-ng [ ] [X] [X] [X] [X] [ ] [ ] [ ]

Syslog-ng is highly configurable. Such things as alert you, filters, logging sent to multiple destinations such as another server to prevent tampering of the logs, log or not log x programs, log per host, etc. View HERE for all syslog-ng.conf default settings in an easy to view format. There are many other settings you can add to suit your needs.

Default configuration file is here, read it, make changes to suit your needs:

cat /etc/syslog-ng/syslog-ng.conf

Can set variables here also:

cat /etc/default/syslog-ng

Process ID:

cat /var/run/syslog-ng.pid

Log:

/var/log/syslog

And of course it will now take over the writing the normal syslog logs:

/var/log/auth.log
/var/log/daemon.log
/var/log/debug
/var/log/kern.log
/var/log/mail.err
/var/log/mail.log
/var/log/messages
/var/log/user.log
/var/log/uucp.log

man syslog-ng

To restart syslog-ng:

/etc/init.d/syslog-ng restart

A feature of syslog-ng is that you can have your cron jobs log to a separate file, instead of mixing with the other logs. To enable this feature:

pico /etc/syslog-ng/syslog-ng.conf

Has this:

# this is commented out in the default syslog.conf
# cron.*                         /var/log/cron.log
#log {
#    source(s_all);
#    filter(f_cron);
#    destination(df_cron);
#};

Change to:

# this is commented out in the default syslog.conf
# cron.*                         /var/log/cron.log
log {
    source(s_all);
    filter(f_cron);
    destination(df_cron);
};

/etc/init.d/syslog-ng restart

Wait until a cron job has been run, then you'll have the file 'cron.log':

ls -al /var/log/cron*
cat /var/log/cron.log

syslog-ng will rotate cron.log as well, you needn't do anything, it's already stated in its rotation script: cat /etc/logrotate.d/syslog-ng

Syslog-ng will install its own logrotation script. IF you have previously set up custom settings for any your standard Debian logs, check if syslog-ng has also created a setting for any of these logs here:

cat /etc/logrotate.d/syslog-ng

For example I had added my own settings for auth.log and then after installing syslog-ng I noticed root had received e-mails stating:

/etc/cron.daily/logrotate:
error: /etc/logrotate.conf:41 duplicate log entry for /var/log/auth.log
run-parts: /etc/cron.daily/logrotate exited with return code 1

To find the culprit of this error I did:

grep -r auth.log /etc/*

Which then I discoverd syslog-ng had this file listed in its rotation. So then I removed my custom settings (on /etc/logrotate.conf) and added them to syslog-ng rotation settings like this:

pico /etc/logrotate.d/syslog-ng

Has this:

/var/log/auth.log {
    rotate 4
    missingok
    notifempty
    weekly
    compress
}

I changed it to:

/var/log/auth.log {
    rotate 3
    notifempty
    daily
    delaycompress
    compress
    create 640 root adm
    mailfirst
    mail my_email@gmail.com
}

Then you'll need to restart syslog-ng:

/etc/init.d/syslog-ng restart

If you want to test logrotation without actually rotating:

logrotate --debug --force /etc/logrotate.d/syslog-ng

You might see an error stating no such file:

[snip]
error: failed to open /var/log/auth.log.1.gz for mailing: No such file or
directory
[snip]

Then to rotate manually:

logrotate --force -v /etc/logrotate.d/syslog-ng

Which might also produce an error IF auth.log has grown larger then your e-mail client is set up to send- that is IF you have it set up to be e-mailed out:

[snip]
Can't send mail: sendmail process failed with error code 1
[snip]

So then I just ran the manual rotation one more time to make sure all worked now that size was down (rotation made a new file):

logrotate --force -v /etc/logrotate.d/syslog-ng

Received my e-mail again noticed that with the different settings it had, it left 2 stragglers from 10 days previous (when the error started):

ls -al /var/log
1 root adm     5305 2010-07-28 11:00 auth.log
1 root adm    36891 2010-07-18 06:47 auth.log.0
1 root adm     4561 2010-07-28 10:59 auth.log.1
1 root adm  1292972 2010-07-18 06:25 auth.log.2
1 root adm     3775 2010-07-28 10:57 auth.log.2.gz
1 root adm      508 2010-07-28 10:24 auth.log.3.gz

Or you might have received the error:

old log /var/log/auth.log.0.gz does not exist

So then I did:

gzip /var/log/auth.log.0
gzip /var/log/auth.log.2
y

logrotate --force -v /etc/logrotate.d/syslog-ng

And all is fine now:

ls -al /var/log/auth.*

Then download auth.log.2.gz if you need it for your records before it is rotated out.