Metalog is an alternative syslog daemon. Metalog is simple to configure, accepts unlimited number of rules and has (switchable) memory bufferization for maximal performance.
USE flags for app-admin/metalog A highly configurable replacement for syslogd/klogd
||Add support for Unicode|
emerge --ask app-admin/metalog
It is a bad idea to run more than one system logger on a physical host. Other local loggers should be removed or disabled.
[...] A configuration file should be installed. Its default location is /etc/metalog.conf (unless you tweaked --with-sysconfdir) . You can find a sample file in this directory, but it's certainly not perfect for your system and your needs. So read on. [...]
- /etc/conf.d/metalog - Gentoo's config file for /etc/init.d/metalog daemon. See man metalog for running options.
- /etc/metalog.conf - Global (system wide) configuration file. See metalog.conf(5) for more information
Add the metalog daemon to the default runlevel so that logging starts on system boot:
rc-update add metalog default
Start metalog by running:
rc-service metalog start
Verify /var/log/everything/current for recent syslog entries:
tail -f /var/log/everything/current
Shortest catchall one file logging example. Verify the logfile definitions at the beginning:
- logfile maximal filesize maxsize
- logfile rotation frequencymaxtime f.e. daily, weekly,
- logfile maximal count of files within logging directory maxfiles
# Most simple Metalog configuration file: maxsize = 1048576 # size in bytes (1048576 = 1 megabyte) maxtime = 86400 # time in seconds (86400 = 1 day) maxfiles = 5 # num files per directory Everything important : facility = "*" minimum = 7 logdir = "/var/log/everything"
Using app-admin/metalog-20220214 version:
No option to run metalog server listening for incoming syslog messages from sending clients.
To enable sending syslog messages to remote syslog server add following entries to the /etc/metalog configuration file:
This rule sends all messages to remote syslog server
192.0.2.1 using target port
# Most simple Metalog configuration file: maxsize = 1048576 # size in bytes (1048576 = 1 megabyte) maxtime = 86400 # time in seconds (86400 = 1 day) maxfiles = 5 # num files per directory # Configure sending syslog messages to a remote syslog server remote_host = 192.0.2.1 remote_port = 514 # Catchall syslog messages Everything important : facility = "*" minimum = 7 logdir = "/var/log/everything"
All syslog messages are stored in the /var/log/everything/current file.
Read the RFC5424 Section 6.2.1. about Facility and Severity
Incoming syslog messages can be filtered using following criteria:
- facilities f.e.: (local0, kernel)
- urgency levels, this is called severity in the syslog RFC's f.e: (0-7)
- program names f.e.: (^httpd)
- regular expressions f.e.: (simple regex example needed)
An incoming message will pass through all filters. If all conditions match, actions defined for the section are performed.
To write matched syslog messages to its logfile only, without additionally writing in the catch-all syslog file use following at the end of the filter definition:
break = 1
Simple filter example configuration using the syslog facility to sort incoming messages to dedicated directories:
- auth facility to /var/log/auth directory only
- kern facility to /var/log/kern directory only
- mail facility to /var/log/mail directory only
- everything else not matched to /var/log/everything directory
The resulting metalog configuration file:
# Most simple Metalog configuration file: maxsize = 1048576 # size in bytes (1048576 = 1 megabyte) maxtime = 86400 # time in seconds (86400 = 1 day) maxfiles = 5 # num files per directory # matched on the authentication facility to the auth directory Authentication: facility = "auth" logdir = "/var/log/auth" break = 1 # matched on the kernel facility to the kern directory Kernel: facility = "kern" logdir = "/var/log/kern" break = 1 # matched on the mail facility to the mail directory Mail: facility = "mail" logdir = "/var/log/mail" break = 1 # matched on all facilities, with all severities save to the everything directoy Everything important : facility = "*" minimum = 7 logdir = "/var/log/everything"
metalog version 4 Options: -a, --async -B, --daemonize -c, --consolelevel <opt> -C, --configfile <opt> -g, --group <opt> -h, --help -N, --no-kernel -p, --pidfile <opt> -s, --synchronous -s, --sync -v, --verbose -V, --version
Check if a metalog daemon is running :
ps ax | grep metalog
7753 ? Ss 0:00 metalog [MASTER] 7754 ? S 0:00 metalog [KERNEL]
Verify using the command logger on the client to send a test syslog message:
logger -t test my syslog-test-message
Following message will appear in the /var/log/everything/current file, on the syslog server when metalog is configured properly:
... Jun 17 20:22:46 [test] my syslog-test-message
emerge --ask --depclean --verbose app-admin/metalog
- Logging — the process by which systems record notable events to provide users and administrators with a view of what is happening while a machine is running.
- Metalog (Security Handbook) - The system logging with Metalog is covered in the Security Handbook.
- Rsyslog — open source system for high performance log processing.
- Sysklogd — utility that reads and logs messages to the system console, logs files, other machines and/or users as specified by its configuration file.
- Syslog-ng — a powerful, highly configurable monitoring and logging daemon.