# Sample Metalog configuration file # Comments are introduced with "#", which is ONLY allowed at the beginning of a line. # Rotate log after file size (1048576 = 1 megabyte) maxsize = 1048576 # Rotate log at least after 30 days (in seconds) maxtime = 2592000 # Number of archive files per directory maxfiles = 5 # directory with more config files to load; files names must end with ".conf" #configdir = /etc/metalog.d # Permissions for log directories. 0750 allows group to read logs. 0700 is default. #perms = 0750 # Format of the timestamp: YYYY-MM-DD HH:MM:SS.NNN #stamp_fmt = "%F %T.%3N" # Configures a remote log server #remote_host = 192.168.1.2 #remote_port = 514 # Send all logs via UDP to a remote log server #remote_log = 1 # This will capture all of the internal log messages that metalog itself # generates. If you use any "command" options below, you will want this # as metalog generates a lot of status messages whenever it executes a # command and children processes exit. # #Metalog: # program = "metalog" # logdir = "/var/log/metalog" # break = 1 # Uncomment and adjust the following lines according to your console logging # needs. If you want to only output things that were not caught by other log # sections, move this to the end of the file. Make sure this command is on # your root partition if you have /usr mounted separately. This script should # merely write $@ to some device (your console for messages): # echo "$@" > /dev/tty10 # # Hint: you can control the consolelog.sh behavior in /etc/conf.d/metalog # #console logging: # facility = "*" # command = "/sbin/consolelog.sh" Everything important: facility = "*" minimum = 6 logdir = "/var/log/everything" #if break keyword does not appear, rules after here will be run. Everything very important: facility = "*" minimum = 1 logdir = "/var/log/critical" Password failures: regex = "(password|login|authentication)\s+(fail|invalid)" regex = "(failed|invalid)\s+(password|login|authentication|user)" regex = "ILLEGAL ROOT LOGIN" logdir = "/var/log/pwdfail" # command = "/usr/local/sbin/mail_pwd_failures.sh" # If you changed default permissions it may be a good idea to set more # restrictive permissions on sensitive logs. # perms = 0700 Kernel messages: facility = "kern" logdir = "/var/log/kernel" break = 1 # Additionally send this log entries via UDP to a remote log server # remote_log = 1 Crond: facility = "cron" logdir = "/var/log/cron" break = 1 Dudes firewalled by IPTrap: program = "iptrap" logdir = "/var/log/iptrap" break = 1 FTP Server: facility = "ftp" logdir = "/var/log/ftpd" break = 1 News Server: facility = "news" logdir = "/var/log/news" break = 1 SSH Server: program = "sshd" logdir = "/var/log/sshd" break = 1 # why the hell do you still run that thing !? Telnet: program = "login" logdir = "/var/log/telnet" break = 1 Imap: program = "/usr/sbin/imapd" logdir = "/var/log/imap" break = 1 POP Toaster: program = "/usr/sbin/ipop3d" logdir = "/var/log/pop" break = 1 Mail: facility = "mail" neg_regex= "starting daemon" logdir = "/var/log/mail" break = 1 # exim stuff - log output from every program whose name begins with "exim". Exim: program_regex = "^exim" logdir = "/var/log/exim" break = 1 Imap: program = "/usr/sbin/imapd" logdir = "/var/log/imap" break = 1 # log output from every program whose name begins with "ppp" Ppp: program_regex = "^ppp" logdir = "/var/log/ppp" break = 1 Postgresql: program_regex = "^postmaster" program_regex = "^postgres" logdir = "/var/log/postgres" break = 1 Apache: program_regex = "^httpd" logdir = "/var/log/http" break = 1 HAL: program_regex = "^hal" logdir = "/var/log/hal" break = 1