Solved writing logs from syslog clients to separate files

[tOsYZYny]

I have a few access points that are syslog capable and have them sending logs to my syslog server. It gets dumped into the main log file, messages, but would like to split it to a separate file so that it is slightly easier to discern what is coming from where.

I looked at the man pages and saw that I can pipe output to a cmd, so I was thinking I could easily write a shell script that does the matching there, but am wondering if that is a bad idea. This is a rough draft of what I was contemplating:

#!/bin/sh

_LINE=$(cat -)
case "$_LINE" in
*[0-9]\ [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\ \<*.*\>\ 192.168.0.1\ *)
_LOGFILE=ap/192.168.0.1
;;
*[0-9]\ [0-9][0-9]:[0-9][0-9]:[0-9][0-9]\ \<*.*\>\ 192.168.0.2\ *)
_LOGFILE=ap/192.168.0.2
;;
*)
_LOGFILE=log
;;
esac
mkdir -p $(dirname $_LOGFILE)
printf '%s\n' "$_LINE" >> $_LOGFILE

 

[dark.initr0]

As I see script run 2 sub-shells to run commands $() for each log line.
Maybe it's not optimal if you have huge logs

 

[tOsYZYny]

Good point, I suppose I could write it in go and that'd be faster. Or, maybe rust?

I guess what I'm getting at is, is that the 'right' way to do it? Or, is there a better approach?

 

[Phishfry]

Sounds like a great job for sysutils/syslog-ng.

 

[Mike Selner]

You may want to take a look at syslog.conf(5).
You can create client IP based rules to direct output to different files

 

[tOsYZYny]

I checked the man pages prior to posting this question. Hmm, are those man pages for syslog-ng or syslog? I don't see any references to client there, but rather property-based filters.

Correction, at the very bottom, I see :hostname. Let me try that.

 

[tOsYZYny]

I sorted it out, it was easier than I thought, I overlooked the section in the man page on hostname:

+<ROUTER IP 1>
*.* /var/log/ap/ROUTER_1
+<ROUTER IP 2>
*.* /var/log/ap/ROUTER_2

To prevent these logs from being written to the original file, I do:

-<ROUTER IP 1>
-<ROUTER IP2>

 

[lgrant]

Sounds like a great job for sysutils/syslog-ng.

Agreed. I had some VOIP phones and Logitech Squeezebox devices all sending syslogs to a FreeBSD machine with syslog-ng. It would produce a series of log files like device.Mon, device.Tue, etc., and would keep a weeks worth of files before reusing the names. I don't remember what the configuration looked like, but I do remember that it was easy (and didn't involve a bunch of regexes).

 

[biggsy]

I have a similar config but I put the lines:

+<ROUTER IP 1>
*.* /var/log/ap/ROUTER_1
+<ROUTER IP 2>
*.* /var/log/ap/ROUTER_2

above the rest of the local entries followed immediately by the line:

+@

which I understand says something like "the following block of entries apply to messages from localhost".
I guess it's just another way of excluding the remote entries from the local log files but avoids the need for:

-<ROUTER IP 1>
-<ROUTER IP2>

 

[tOsYZYny]

Ah, good call, yeah, I think that is probably a better approach as it is more generic.

 

[tOsYZYny]

Agreed. I had some VOIP phones and Logitech Squeezebox devices all sending syslogs to a FreeBSD machine with syslog-ng. It would produce a series of log files like device.Mon, device.Tue, etc., and would keep a weeks worth of files before reusing the names. I don't remember what the configuration looked like, but I do remember that it was easy (and didn't involve a bunch of regexes).

Yeah, the syslog conf is not pretty, each time I look at it, I get a headache.

I suppose here in lies a conflict (for me at least). I would like to have a single logger installed, the one I'm using, but AFAIK, syslog is baked into FreeBSD and syslog-ng is an standalone package. Wouldn't it make sense to have one or the other, but not both?

 

[biggsy]

Ah, good call, yeah, I think that is probably a better approach as it is more generic.

Don't forget, like I did, to modify your newsyslog.conf so that those logs get rolled over.