Managing log paths

This section describes how to create and configure log paths in SSB.

■ For a list of default log paths, see Section 10.1, Default logpaths in SSB (p. 166).

■ For details on how to create a new log path, see Procedure 10.2, Creating new log paths (p. 166).

■ For details on how to send only selected messages to a destination, see Section 10.3, Filtering messages (p. 169).

10.1. Default logpaths in SSB

Two log paths are available by default in SSB (see Log > Paths):

Figure 10.1. Default logpaths of SSB

■ The first log path collects the local messages of SSB. It sends every message of the web interface, the built-in syslog-ng server, and other internal components to the local logspace.

■ The second log path collects messages sent to SSB using the default syslog sources (for details, see Section 7.1, Default message sources in SSB (p. 126)) or via SNMP (for details, see Procedure 7.2, Receiving SNMP messages (p. 127)). These messages are stored in the center logspace.

Note

Note that both default log paths are marked as Final: if you create a new log path that collects logs from the default sources, make sure to adjust the order of the log paths, or disable the Final option for the default log path.

10.2. Procedure – Creating new log paths

To create a new log path, complete the following steps.

Default logpaths in SSB

Steps:

Step 1. Navigate to Log > Paths and select . A new log path is added to the list of log paths.

Step 2. Select a source for the log path from the Source field. Messages arriving to this source will be processed by this log path. To add more sources to the log path, select in the source field and repeat this step.

Figure 10.2. Creating a new logpath

Remote sources receive messages from the network, while built-in sources are messages that originate on SSB. However, note that the SNMP source (for details, see Procedure 7.2, Receiving SNMP messages (p. 127)) is listed in the built-in section.

Tip

To process every message of every source, leave the source option onall. This is equivalent to using the catchallflag of syslog-ng.

Default logpaths in SSB

Step 3. Select a destination for the log path from the Destination field. Messages arriving to this source will be forwarded to this destination. To add more destinations to the log path, select in the destination field and repeat this step.

Note

Remote destinations forward the messages to external servers or databases and are configured on the Log >

Destinations page (for details, see Chapter 9, Forwarding messages from SSB (p. 157)).

Local destinations store the messages locally on SSB and are configured on the Log > Spaces page (for details, see Chapter 8, Storing messages on SSB (p. 140)).

If you do not want to store the messages arriving to this log path, leave the Destination field onnone.

Warning

Thenonedestination discards messages — messages sent only to this destination will be lost irrevocably.

Step 4. If you do not want other log paths to process the messages sent to a destination by this log path, select the Final option.

The order of the log paths is important, especially if you use the Final option in one or more destinations, because SSB evaluates log paths in descending order. Use the buttons to position the log path if needed.

Step 5. To enable flow-control for this log path, select the Flow option. For details on how flow-control works, see Section 2.3, Managing incoming and outgoing messages with flow-control (p. 5).

Step 6. If you do not wat to send every message from the sources to the destinations, use filters. Select the filter to use from the Filter field, click , and configure the filter as needed. To apply more filters, click and select a new filter. Note that SSB sends only those messages to the destinations that pass every listed filter of the log path. The available filters are described in Section 10.3, Filtering messages (p. 169).

Default logpaths in SSB

Figure 10.3. Filtering log messages

Step 7. Click . After that, the new log path will start to collect log messages.

Tip

If you do not want to activate the log path immediately, deselect the Enable option.

10.3. Filtering messages

This section describes the filters that can be used in log paths. Every filter can be used to select (for example priority is) or exclude (for examplepriority is not) messages. The following filters are available:

■ facility: Select messages sent by a specific facility (for examplekernel).

■ host: Select messages sent by a specific host. Enter the a hostname, IP address, or a POSIX (basic) regular expression.

■ message: Select messages containing a specific keyword or POSIX (basic) regular expression in the text of the log message (excluding the headers).

■ priority: Select messages of a specific priority.

■ program: Select messages sent by a specific application. Enter the name of the application or a POSIX (basic) regular expression.

■ sender: Filter on the address of the host that sent the message to SSB.

Note

The effect of the sender and the host filters is the same if every client sends the logs directly to SSB. But if SSB receives messages from relays, then the host filter applies for the address of the clients, while the sender applies for the address of the relays.

Filtering messages

If multiple filters are set for a log path, only messages complying to every filter are sent to the destinations. (In other words, filters are added using the logical AND operation.)

Figure 10.4. Using custom filters

If you need more complex filtering in your log path, select the of the log path and enter a custom filter into the appearing field. The contents of this field are pasted into thefilter()parameter of the syslog-ng log path definition.

10.3.1. Procedure – Modifying messages using rewrite

The syslog-ng application can rewrite parts of the messages using rewrite rules. Almost all parts of the message can be rewritten. The rules use a key-value pair format.

Steps: