On 22/12/13 22:17, Tanstaafl wrote: > Hi all, > > I'm very interested in what are best practices, and what others do as > far as separating out different types of messages in their logs. > > I've always just sent everything to /var/log/messages, and this is not a > very heavily loaded box so it hasn't been a big problem, but I'm working > on a new server and would like to do some separation. > > I'd still like everything to go to /var/log/messages, but I'd like to > also send certain types of messages to different logs to simplify > troubleshooting, etc - ie, I often peruse the logs with: > > egrep '(reject|warning|error|fatal|panic):' /var/log/messages > > But I'd like to actually feed all of those messages to a separate log, > for easier tailing.
syslog-ng comes with extensive documentation and a high-quality sysadmin manual is available from Balabit's web site. You need to start there as that spec above is highly bespoke. To do it, you need to examine the content of the log body using a regex, the usual way of filtering logs is by the header fields, not the body. There is no "best practice" as such wrt logging, All that there is, is whatever you consider you need to have. -- Alan McKinnon alan.mckin...@gmail.com