Hello, Recently I've read a developer's discussion on the gmane (see the "steps to reproduce" below) concerning syslog-ng vs. metalog. And two days ago I've configured my server and shortly after my laptop to use multiple files for logging with syslog-ng. I must say that just filtering cron messages was a great relief for my /var/log/messages file, as it became much clearer. Then I played with it a little more, so I was quite happy with the result. THEN I've found the Security Handbook. Having some experience already I must admit that the example configuration in the "Chapter 3. Logging" is a lot better than mine... So here comes my RFE. I would like to ask you to consider adding such a good configuration file to syslog-ng, apart from its clean & minimal config file. It should be placed in /etc/syslog-ng/syslog-ng.conf.example and the ebuild should display a notice about this file at the end of emerging syslog-ng. The contents of the file should be the same as in the "Security Handbook". It's purpose would be similar to /etc/make.conf.example and /etc/conf.d/net.example - so users installing syslog-ng could be quickly acquainted with a simple, default configuration and a good but more complicated one. I think I would use such a file, even though doing manual configuration and the on-line research was quite a learning experience :-) Reproducible: Always Steps to Reproduce: 1. See http://article.gmane.org/gmane.linux.gentoo.devel/31889 2. See the whole discussion: http://article.gmane.org/gmane.linux.gentoo.devel/31841 3. See a good syslog-ng configuration: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=3#doc_chap4 Expected Results: I also think that fulfilling my request is quite easy. It consists of several steps: 1. Copy the example syslog-ng configuration from "Security Handbook" 2. Put it in a file /etc/syslog-ng/syslog-ng.conf.example 3. Add a nice header to this file (with the link to the "Security Handbook") 4. Enhance the ebuild to advertise the syslog-ng.conf.example file at the end of merge 5. Update the portage tree Not that much actually, if you ask me ;-) There are also two currently open bugs, Bug #93240 and Bug #101387. The former has some very valid points wrt. properly analyzing logs by logwatch. Resolving both requests - this one and the one from Bug #93240 - would greatly increase the value of both packages (syslog-ng and logwatch) at the same time.
syslog-ng installs a few config files in the doc directory already. I expect users who are going to be customizing syslog-ng configuration will be interested in looking at the docs and the config files there in the same directory. Bug #93240 will be handled by the hardened team and I'm waiting for input on the other one.
Yes you are right. I just didn't notice that somehow. If only the Handbook or ebuild hinted me about those examples... Typical desktop user just installs "the logger" and forgets about it. I just felt like I had to configure syslog-ng on my own. But the examples were always on my disk... Wow. Anyway, thanks for quick and accurate reply!
Do the docs also mention the need/option to install logrotate, so that /var/log doesn't run out of space? And the fact that some packages respect the logrotate USE flag and add their own logrotate configuration file under /etc/logrotate.d/ so that you don't have to manually make an entry in /etc/logrotate.conf? Otherwise a relevant comment could help as a reminder with a new install. -- Regards, Mick
