Metalog

Metalog is an alternative syslog daemon. Metalog is simple to configure, accepts unlimited number of rules and has (switchable) memory bufferization for maximal performance.

Installation

USE flags

Emerge

Install app-admin/metalog:

Configuration

Metalog documentation:

[...]
A configuration file should be installed. Its default location is
/etc/metalog.conf (unless you tweaked --with-sysconfdir) . You can find a
sample file in this directory, but it's certainly not perfect for your system
and your needs. So read on.
[...]

Files

• /etc/conf.d/metalog - Gentoo's config file for /etc/init.d/metalog daemon. See man metalog for running options.
• /etc/metalog.conf - Global (system wide) configuration file. See metalog.conf(5) for more information

Service

OpenRC

Add the metalog daemon to the default runlevel so that logging starts on system boot:

Start metalog by running:

Verify /var/log/everything/current for recent syslog entries:

runit

systemd

Local logging

Shortest catchall one file logging example. Verify the logfile definitions at the beginning:

• logfile maximal filesize maxsize
• logfile rotation frequency maxtime f.e. daily, weekly,
• logfile maximal count of files within logging directory maxfiles

# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Remote logging

Server

Using app-admin/metalog-20220214 version:

Client

To enable sending syslog messages to remote syslog server add following entries to the /etc/metalog configuration file:

remote_host=192.0.2.1
remote_port=514

This rule sends all messages to remote syslog server 192.0.2.1 using target port 514.

# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

# Configure sending syslog messages to a remote syslog server
remote_host = 192.0.2.1
remote_port = 514

# Catchall syslog messages 
Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Usage

All syslog messages are stored in the /var/log/everything/current file.

Filtering

Incoming syslog messages can be filtered using following criteria:

• facilities f.e.: (local0, kernel)
• urgency levels, this is called severity in the syslog RFC's f.e: (0-7)
• program names f.e.: (^httpd)
• regular expressions f.e.: (simple regex example needed)

An incoming message will pass through all filters. If all conditions match, actions defined for the section are performed.

To write matched syslog messages to its logfile only, without additionally writing in the catch-all syslog file use following at the end of the filter definition:

 break = 1

Simple filter example configuration using the syslog facility to sort incoming messages to dedicated directories:

• auth facility to /var/log/auth directory only
• kern facility to /var/log/kern directory only
• mail facility to /var/log/mail directory only
• everything else not matched to /var/log/everything directory

The resulting metalog configuration file:

# Most simple Metalog configuration file:
maxsize  = 1048576  # size in bytes (1048576 = 1 megabyte)
maxtime  = 86400    # time in seconds (86400 = 1 day)
maxfiles = 5        # num files per directory

# matched on the authentication facility to the auth directory
Authentication:
 
    facility = "auth"
    logdir   = "/var/log/auth"
    break    = 1

# matched on the kernel facility to the kern directory
Kernel:
    facility = "kern"
    logdir   = "/var/log/kern"
    break    = 1

# matched on the mail facility to the mail directory
Mail:
    facility = "mail"
    logdir   = "/var/log/mail"
    break    = 1

#  matched on all facilities, with all severities save to the everything directoy
Everything important :

    facility = "*"
    minimum  = 7
    logdir   = "/var/log/everything"

Invocation

metalog version 4

Options:
   -a, --async
   -B, --daemonize
   -c, --consolelevel <opt>
   -C, --configfile <opt>
   -g, --group <opt>
   -h, --help
   -N, --no-kernel
   -p, --pidfile <opt>
   -s, --synchronous
   -s, --sync
   -v, --verbose
   -V, --version

Caveats

Though metalog provides for log rotation, this facility does not deal with the unowned files /var/log/wtmp or /var/log/btmp (used to keep track of all logins and logouts to a system). To deal with such files, see app-admin/logrotate.

Troubleshooting

Check if a metalog daemon is running :

 7753 ?        Ss     0:00 metalog [MASTER]
 7754 ?        S      0:00 metalog [KERNEL]

Verify using the command logger on the client to send a test syslog message:

Following message will appear in the /var/log/everything/current file, on the syslog server when metalog is configured properly:

...
Jun 17 20:22:46 [test] my syslog-test-message

Removal

Unmerge

See also

• Logging — the process by which systems record notable events to provide users and administrators with a view of what is happening while a machine is running.
• Metalog (Security Handbook) - The system logging with Metalog is covered in the Security Handbook.
• Rsyslog — open source system for high performance log processing.
• Sysklogd — utility that reads and logs messages to the system console, logs files, other machines and/or users as specified by its configuration file.
• Syslog-ng — a powerful, highly configurable monitoring and logging daemon.

External resources

References