syslog.conf selection by ident

Q

quicktrick

I have not found anywhere in the docs how to make selections from syslog by ident.

I use chrooted Unbound and I've configured it to write its log to syslog.
use-syslog: <yes or no>
Sets unbound to send log messages to the syslogd, using syslog().
The log facility LOG_DAEMON is used, with identity
"unbound". The logfile setting is overridden when use-syslog is
turned on. The default is to log to syslog.
Click to expand...

I've found in syslog.conf() an example how to select records from syslog by program name:
Code: 
!unbound
*.*    /var/log/unbound.log
!*

But there is also a notice
It is preferred that selections be made
on facility rather than program, since the latter can easily vary in a
networked environment. In some cases, though, an appropriate facility
simply does not exist.
Click to expand...

After some experiments I found that the following entry works as selector by identity (ident), instead of the previous code:
Code: 
daemon.*.unbound    /var/log/unbound.log

I'm not quite sure in the correctness of its syntax, but it works fine. I just wonder why this feature is not described anywhere in the documentation?
 
As usual there are more solutions to a problem. However, I agree that this can be a little confusing to read at first. Been there, had that happen to myself as well.

If you want to use the identity you'd normally use something like:

Code: 
# Package management
!pkg,pkg-static
*.*                                             /var/log/pkg.log
Now, the problem with all this is that your syslog.conf normally starts with several global entries which only care about the priority of the messages and not so much the identity. For example:

Code: 
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit    /var/log/messages
Do note that I have edited this entry and it no longer matches the default.

Still, my point here is that if you have a message mapped as unbound.notice (or higher) then this would end up in /var/log/messages and not so much any of your other optional entries. As said above there are more ways to solve this, but I personally prefer something like:

Code: 
!-imap,named,pkg-static,pkg
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit    /var/log/messages
... at the start. This tells syslog that it should (temporarily) ignore any entries with these identities. Then, later in my config, I'm using this:

Code: 
# Bind logging
!named
*.*                                             /var/log/named.log
!*
local1.*                                        /var/log/named.log
First I'm fully including named and I log everything to /var/log/named.conf. Then I include everything else (the !*) and separate my further entries accordingly. The PKG example I showed above is actually placed below this section for obvious reasons.

So this would also be my recommendation. First disable unbound by using !-unbound, then re-enable it later in your config file.
 
ShelLuser said:
If you want to use the identity you'd normally use something like:
Code: 
# Package management
!pkg,pkg-static
*.*                                             /var/log/pkg.log
Click to expand...

I'm sorry, ShelLuser, but, I'm afraid, "!pkg" is not an identity. As described in syslog.conf():
A program specification is a line beginning with `#!prog' or `!prog' (the
former is for compatibility with the previous syslogd, if one is sharing
syslog.conf files, for example) and the following blocks will be associ-
ated with calls to syslog(3) from that specific program. A program spec-
ification for `foo' will also match any message logged by the kernel with
the prefix `foo: '. The `#!+prog' or `!+prog' specification works just
like the previous one, and the `#!-prog' or `!-prog' specification will
match any message but the ones from that program. Multiple programs may
be listed, separated by commas: `!prog1,prog2' matches messages from
either program, while `!-prog1,prog2' matches all messages but those from
`prog1' or `prog2'.
Click to expand...
We can find some decription of identity (ident) in syslog():
The openlog() function provides for more specialized processing of the
messages sent by syslog() and vsyslog(). The ident argument is a string
that will be prepended to every message.
Click to expand...
What's more, there is another option in unbound.conf concerning the identity:
log-identity: <string>
If "" is given (default), then the name of the executable, usu-
ally "unbound" is used to report to the log. Enter a string to
override it with that, which is useful on systems that run more
than one instance of unbound, with different configurations, so
that the logs can be easily distinguished against.
Click to expand...
So, if you have e.g. two instances of Unbound with different identities and you want to send their logs to different files, you have to select their log records by their corresponding identities, not by the program name.
 
When I'm mentioning identity I am referring to the program identity. We're talking about the same things. Just check /var/log/messages and you'll see exactly what I mean. Also see that same syslog.conf(5) you mentioned.

This is also how Unbound will manifest itself. If you would have checked the logfiles you'd have noticed as much.
 
I'm not going to bother. I gave you a working example how you can filter these messages, the example for pkg simply works, so if you think I'm wrong about that without being capable of actually backing this up with facts then that's your problem.
 
You must log in or register to reply here.
Back
Top