The de facto standard of system log handling is to use the
syslog daemon. While this is usually sufficient, there are some drawbacks to using
syslog. For one, it cannot rotate logs on its own and requires another tool,
typically logrotate,
to do it. Secondly, when used to send log messages to a remote system, it can
only do so over UDP, a stateless protocol; so log messages can potentially be
lost or misdirected. It also means that they can’t be encrypted and are sent
clear over the wire; not such a big deal for intranet systems but definitely a
problem when you want to send logs over the Internet.

An alternative system logger is syslog-ng. The syslog-ng tool doesn’t suffer from any
of these drawbacks and has a powerful configuration syntax to boot.

The configuration file uses a C-style syntax that is different
from what you may be used to, but once understood, it is extremely flexible. With
it you can define a number of log files, logging sources, and filters. For instance,
to define a log file you would use:

<code>
destination authlog { file("/var/log/auth.log"); };
</code>

This tells syslog-ng that all messages to the authlog syslog facility should be
written to the /var/log/auth.log
file. To define different sources for log messages, you could use:

<code>
source src {
    pipe("/proc/kmsg");
    unix-stream("/dev/log");
    internal();
    udp();
    tcp(port(5140) keep-alive(yes));
};
</code>

This defines a number of sources for log messages. The first
is the system pipe where Linux kernel messages come from. The second is the
traditional Linux device file for logging. The internal setting is for
syslog-ng itself, and the udp setting
is to listen to the standard UDP port 514. The final entry tells syslog-ng to
listen to TCP port 5140 and to keep the connection alive; typically, this would
be to receive messages from a remote syslog-ng server.

There is a lot more to syslog-ng than this, of course, but
hopefully this has intrigued you enough to give it a look as it really is a
powerful system logger that runs circles around the traditional syslog daemon.

Delivered each Tuesday, TechRepublic’s free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!