How to automatically sort syslog messages by hostname on a busy syslog server using syslog-ng

If you operate a large network, it is useful to have your hosts log to a central syslog server. The challenge is to have the syslog server sort the incoming logs to the appropriate files automatically.

In this example, we are using syslog-ng (not syslogd!) for the syslog server from a standard linux distribution. On the syslog clients you make the following type of configuration entry:

*nix syslog clients

In /etc/syslog.conf add an entry to direct the logging to the syslog server in addition to the local files:

----Before----
*.info;authpriv.none /var/log/messages

----After----
*.info;authpriv.none /var/log/messages
*.info;authpriv.none @syslog_host.domain.com

---------------

Cisco switches and routers

service timestamps debug datetime
service timestamps log datetime localtime

logging trap debugging
logging source-interface <VLAN>
logging <syslog server IP>

logging on
-------------------------

Syslog server configuration

# this line lets the syslog server “listen” to other hosts
source net { udp(); };

# automatic host sorting
# The “std” destination is the default destination statement for syslog-ng
destination std { file(”/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY” owner(root) group(admin) perm(0640) dir_perm(0750) create_dirs(yes) );
};