[mirror/dsa-puppet.git] / modules / syslog-ng / templates / syslog-ng.conf.erb

<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
@version: 3.0
<%- elsif has_variable?("syslogversion") and syslogversion.to_s == "3.5" -%>
@version: 3.5
@include "scl.conf"
<%- else -%>
@version: 3.3
@include "scl.conf"
<%- end -%>

##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##

#
# Configuration file for syslog-ng under Debian
#
# attempts at reproducing default syslog behavior

# the standard syslog levels are (in descending order of priority):
# emerg alert crit err warning notice info debug
# the aliases "error", "panic", and "warn" are deprecated
# the "none" priority found in the original syslogd configuration is
# only used in internal messages created by syslogd


######
# options

options {
        # disable the chained hostname format in logs
        # (default is enabled)
        chain_hostnames(1);

        # the time to wait before a died connection is re-established
        # (default is 60)
        time_reopen(10);

        # the time to wait before an idle destination file is closed
        # (default is 60)
        time_reap(360);

        # the number of lines buffered before written to file
        # you might want to increase this if your disk isn't catching with
        # all the log messages you get or if you want less disk activity
        # (say on a laptop)
        # (default is 0)
        #sync(0);

        # the number of lines fitting in the output queue
<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
        log_fifo_size(2048);
<%- else -%>
        log_fifo_size(10000);
<%- end -%>

        # enable or disable directory creation for destination files
        create_dirs(yes);

        # default owner, group, and permissions for log files
        # (defaults are 0, 0, 0600)
        #owner(root);
        group(adm);
        perm(0640);

        # default owner, group, and permissions for created directories
        # (defaults are 0, 0, 0700)
        #dir_owner(root);
        #dir_group(root);
        dir_perm(0755);

        # enable or disable DNS usage
        # syslog-ng blocks on DNS queries, so enabling DNS may lead to
        # a Denial of Service attack
        # (default is yes)
        use_dns(no);

        # maximum length of message in bytes
        # this is only limited by the program listening on the /dev/log Unix
        # socket, glibc can handle arbitrary length log messages, but -- for
        # example -- syslogd accepts only 1024 bytes
        # (default is 2048)
        #log_msg_size(2048);

        #Disable statistic log messages.
        stats_freq(0);

        # Some program send log messages through a private implementation.
        # and sometimes that implementation is bad. If this happen syslog-ng
        # may recognise the program name as hostname. Whit this option
        # we tell the syslog-ng that if a hostname match this regexp than that
        # is not a real hostname.
        bad_hostname("^gconfd$");

        keep_hostname(no);

        # We believe our own clock more than we believe the client clock.
        keep_timestamp(no);
};


######
# sources

# all known message sources
source s_local {
        # message generated by Syslog-NG
        internal();
<%- if has_variable?("syslogversion") and syslogversion.to_s == "3.1" -%>
        # standard Linux log source (this is the default place for the syslog()
        # function to send logs to)
        unix-stream("/dev/log");
        # messages from the kernel
        file("/proc/kmsg" program_override("kernel: "));
<%- else -%>
        system();
<%- end -%>
};

<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
source s_network {
        tcp6(port(5140) max-connections(400)
                tls( key_file("/etc/exim4/ssl/thishost.key")
                     cert_file("/etc/exim4/ssl/thishost.crt")
                     ca_dir("/etc/exim4/ssl/")
                )
        );
};
<%- end -%>


######
# destinations

# some standard log files
destination df_auth { file("/var/log/auth.log"); };
destination df_syslog { file("/var/log/syslog"); };
destination df_cron { file("/var/log/cron.log"); };
destination df_daemon { file("/var/log/daemon.log"); };
destination df_kern { file("/var/log/kern.log"); };
destination df_lpr { file("/var/log/lpr.log"); };
destination df_mail { file("/var/log/mail.log" group(maillog)); };
# destination df_mail_info { file("/var/log/mail.info" group(maillog)); };
destination df_mail_warn { file("/var/log/mail.warn" group(maillog)); };
destination df_mail_err { file("/var/log/mail.err" group(maillog)); };
destination df_user { file("/var/log/user.log" perm(0644)); };
destination df_uucp { file("/var/log/uucp.log"); };

# these files are meant for the mail system log files
# and provide re-usable destinations for {mail,cron,...}.info,
# {mail,cron,...}.notice, etc.
destination df_facility_dot_info { file("/var/log/$FACILITY.info"); };
destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); };
destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); };
destination df_facility_dot_err { file("/var/log/$FACILITY.err"); };
destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); };

# these files are meant for the news system, and are kept separated
# because they should be owned by "news" instead of "root"
destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); };
destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); };
destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); };

# some more classical and useful files found in standard syslog configurations
destination df_debug { file("/var/log/debug"); };
destination df_messages { file("/var/log/messages"); };

<%- if kernel == 'Linux' -%>
# pipes
# a console to view log messages under X
destination dp_xconsole { pipe("/dev/xconsole"); };

<%- end -%>
# consoles
# this will send messages to everyone logged in
destination du_all { usertty("*"); };


######
# filters

# all messages from the auth and authpriv facilities
filter f_auth { facility(auth, authpriv); };

# all messages except from the auth and authpriv facilities
filter f_syslog { not facility(auth, authpriv, mail); };

# respectively: messages from the cron, daemon, kern, lpr, mail, news, user,
# and uucp facilities
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_news { facility(news); };
filter f_user { facility(user); };
filter f_uucp { facility(uucp); };

# some filters to select messages of priority greater or equal to info, warn,
# and err
# (equivalents of syslogd's *.info, *.warn, and *.err)
filter f_at_least_info { level(info..emerg); };
filter f_at_least_notice { level(notice..emerg); };
filter f_at_least_warn { level(warn..emerg); };
filter f_at_least_err { level(err..emerg); };
filter f_at_least_crit { level(crit..emerg); };

# all messages of priority debug not coming from the auth, authpriv, news, and
# mail facilities
filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); };

# all messages of info, notice, or warn priority not coming form the auth,
# authpriv, cron, daemon, mail, and news facilities
filter f_messages {
        level(info,notice,warn)
            and not facility(auth,authpriv,cron,daemon,mail,news);
};

# messages with priority emerg
filter f_emerg { level(emerg); };

<%- if kernel == 'Linux' -%>
# complex filter for messages usually sent to the xconsole
filter f_xconsole {
    facility(daemon,mail)
        or level(debug,info,notice,warn)
        or (facility(news)
                and level(crit,err,notice));
};

<%- end -%>

# order matters if you use "flags(final);" to mark the end of processing in a
# "log" statement

###############################################################################
########## ON LOG CLIENTS #####################################################
###############################################################################
###############################################################################
###############################################################################
# all log clients, including the log server, log their locally created
# messages to the standard places.

# auth,authpriv.*                 /var/log/auth.log
log {
        source(s_local);
        filter(f_auth);
        destination(df_auth);
};

# *.*;auth,authpriv.none          -/var/log/syslog
log {
        source(s_local);
        filter(f_syslog);
        destination(df_syslog);
};

# this is commented out in the default syslog.conf
# cron.*                         /var/log/cron.log
#log {
#        source(s_local);
#        filter(f_cron);
#        destination(df_cron);
#};

# daemon.*                        -/var/log/daemon.log
log {
        source(s_local);
        filter(f_daemon);
        destination(df_daemon);
};

# kern.*                          -/var/log/kern.log
log {
        source(s_local);
        filter(f_kern);
        destination(df_kern);
};

# lpr.*                           -/var/log/lpr.log
log {
        source(s_local);
        filter(f_lpr);
        destination(df_lpr);
};

# mail.*                          -/var/log/mail.log
log {
        source(s_local);
        filter(f_mail);
        destination(df_mail);
};

# user.*                          -/var/log/user.log
log {
        source(s_local);
        filter(f_user);
        destination(df_user);
};

# uucp.*                          /var/log/uucp.log
log {
        source(s_local);
        filter(f_uucp);
        destination(df_uucp);
};

# mail.info                       -/var/log/mail.info
#log {
#        source(s_local);
#        filter(f_mail);
#        filter(f_at_least_info);
#        destination(df_mail_info);
#};

# mail.warn                       -/var/log/mail.warn
log {
        source(s_local);
        filter(f_mail);
        filter(f_at_least_warn);
        destination(df_mail_warn);
};

# mail.err                        /var/log/mail.err
log {
        source(s_local);
        filter(f_mail);
        filter(f_at_least_err);
        destination(df_mail_err);
};

# news.crit                       /var/log/news/news.crit
log {
        source(s_local);
        filter(f_news);
        filter(f_at_least_crit);
        destination(df_news_dot_crit);
};

# news.err                        /var/log/news/news.err
log {
        source(s_local);
        filter(f_news);
        filter(f_at_least_err);
        destination(df_news_dot_err);
};

# news.notice                     /var/log/news/news.notice
log {
        source(s_local);
        filter(f_news);
        filter(f_at_least_notice);
        destination(df_news_dot_notice);
};


# *.=debug;\
#         auth,authpriv.none;\
#         news.none;mail.none     -/var/log/debug
log {
        source(s_local);
        filter(f_debug);
        destination(df_debug);
};


# *.=info;*.=notice;*.=warn;\
#         auth,authpriv.none;\
#         cron,daemon.none;\
#         mail,news.none          -/var/log/messages
log {
        source(s_local);
        filter(f_messages);
        destination(df_messages);
};

# *.emerg                         *
log {
        source(s_local);
        filter(f_emerg);
        destination(du_all);
};


<%- if kernel == 'Linux' -%>
# daemon.*;mail.*;\
#         news.crit;news.err;news.notice;\
#         *.=debug;*.=info;\
#         *.=notice;*.=warn       |/dev/xconsole
log {
        source(s_local);
        filter(f_xconsole);
        destination(dp_xconsole);
};
<%- end -%>


 <%- if hostname != "lotti" -%>
destination loghost-lotti {
        tcp("lotti.debian.org" port (5140)
                tls( key_file("/etc/ssl/private/thishost.key")
                     cert_file("/etc/ssl/debian/certs/thishost.crt")
                     ca_dir("/etc/ssl/debian/certs/")
                )
        );
};
 <%- end -%>
  <%- if hostname != "lully" -%>
destination loghost-lully {
        tcp("lully.debian.org" port (5140)
                tls( key_file("/etc/ssl/private/thishost.key")
                     cert_file("/etc/ssl/debian/certs/thishost.crt")
                     ca_dir("/etc/ssl/debian/certs/")
                )
        );
};
 <%- end -%>
  <%- if hostname != "loghost-grnet-01" -%>
destination loghost-loghost-grnet-01 {
        tcp("loghost-grnet-01.debian.org" port (5140)
                tls( key_file("/etc/ssl/private/thishost.key")
                     cert_file("/etc/ssl/debian/certs/thishost.crt")
                     ca_dir("/etc/ssl/debian/certs/")
                )
        );
};
 <%- end -%>

log {
        source(s_local);
 <%- if hostname != "lotti" -%>
        destination(loghost-lotti);
 <%- end -%>
 <%- if hostname != "lully" -%>
        destination(loghost-lully);
 <%- end -%>
 <%- if hostname != "loghost-grnet-01" -%>
        destination(loghost-loghost-grnet-01);
 <%- end -%>
};



<%- if (hostname == "lotti") || (hostname == "lully") || (hostname == "loghost-grnet-01") -%>
###############################################################################
########## ON LOG HOST ########################################################
###############################################################################
###############################################################################
#
# The log server, additionally, also logs all local and remote messages to
# a few special places.
destination hostdest_auth           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/auth.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_syslog         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/syslog"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_cron           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/cron.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_daemon         { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/daemon.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_kern           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/kern.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_lpr            { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/lpr.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_mail           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/mail.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_news           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/news.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_user           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/user.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_uucp           { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/uucp.log"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_debug          { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/debug"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_messages       { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/messages"
                                      owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };


#----------------------------------------------------------------------
#  Special catch all destination hostdest_sorting by host
#----------------------------------------------------------------------
destination hostdest_facility_dot_info   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.info"
                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_facility_dot_notice { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.notice"
                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_facility_dot_warn   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.warn"
                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_facility_dot_err    { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.err"
                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };
destination hostdest_facility_dot_crit   { file("/var/log/hosts/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.crit"
                                           owner(root) group(adm) perm(0640) dir_perm(0755) create_dirs(yes) dir_owner(root) dir_group(adm)); };


#----------------------------------------------------------------------
#  Catch all log files
#----------------------------------------------------------------------
destination df_ALL_auth { file("/var/log/auth-all.log"); };
destination df_ALL_mail { file("/var/log/mail-all.log"); };
destination df_ALL_syslog { file("/var/log/syslog-all"); };

log { source(s_local);
      source(s_network);
      filter(f_auth); destination(hostdest_auth); };
log { source(s_local);
      source(s_network);
      filter(f_syslog); destination(hostdest_syslog); };
log { source(s_local);
      source(s_network);
      filter(f_daemon); destination(hostdest_daemon); };
log { source(s_local);
      source(s_network);
      filter(f_kern); destination(hostdest_kern); };
log { source(s_local);
      source(s_network);
      filter(f_lpr); destination(hostdest_lpr); };
log { source(s_local);
      source(s_network);
      filter(f_mail); destination(hostdest_mail); };
log { source(s_local);
      source(s_network);
      filter(f_news); destination(hostdest_mail); };
log { source(s_local);
      source(s_network);
      filter(f_user); destination(hostdest_user); };
log { source(s_local);
      source(s_network);
      filter(f_uucp); destination(hostdest_uucp); };
log { source(s_local);
      source(s_network);
      filter(f_debug); destination(hostdest_debug); };
log { source(s_local);
      source(s_network);
      filter(f_messages); destination(hostdest_messages); };

log { source(s_local);
      source(s_network);
      filter(f_mail); filter(f_at_least_info); destination(hostdest_facility_dot_info); };
log { source(s_local);
      source(s_network);
      filter(f_mail); filter(f_at_least_warn); destination(hostdest_facility_dot_warn); };
log { source(s_local);
      source(s_network);
      filter(f_mail); filter(f_at_least_err); destination(hostdest_facility_dot_err); };


## catch all:
log { source(s_local);
      source(s_network);
      filter(f_auth); destination(df_ALL_auth); };
log { source(s_local);
      source(s_network);
      filter(f_mail); destination(df_ALL_mail); };
log { source(s_local);
      source(s_network);
      filter(f_syslog); destination(df_ALL_syslog); };
<%- end -%>