Scribe Scribe filters for NextDNS CLI and other filters?

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

MvW

Senior Member
I don't understand a thing about Scribe and its filters, I'm half way the 70 pages you guys filled with your knowledge and still don't get it, so I fear the learning curve is too steep for me. So I'd like to ask if there's anyone willing to help me write the two necessary files for logrote.d and syslog-ng.d to filter out the chatter from the NextDNS CLI client out of messages.

Or maybe some already has written these for the NextDNS client and is willing to share them? Is there (or maybe there is, but I have still 36 pages to go, which will probably take me another 3 nights) some sort of repository with the available filters? I have found the examples directories and even managed to get some of them in the right directories, and working through SSH, so I have actually expanded the webUI with new filters, but I imagine you have made more. Is there such a thread somewhere or is it an idea to set it up if if hasn't been done yet?

Best regards,
Marco
 

Jack Yaz

Part of the Furniture
I don't understand a thing about Scribe and its filters, I'm half way the 70 pages you guys filled with your knowledge and still don't get it, so I fear the learning curve is too steep for me. So I'd like to ask if there's anyone willing to help me write the two necessary files for logrote.d and syslog-ng.d to filter out the chatter from the NextDNS CLI client out of messages.

Or maybe some already has written these for the NextDNS client and is willing to share them? Is there (or maybe there is, but I have still 36 pages to go, which will probably take me another 3 nights) some sort of repository with the available filters? I have found the examples directories and even managed to get some of them in the right directories, and working through SSH, so I have actually expanded the webUI with new filters, but I imagine you have made more. Is there such a thread somewhere or is it an idea to set it up if if hasn't been done yet?

Best regards,
Marco
Can you share some sample syslog entries? I can then create a filter for you
 

Smokey613

Very Senior Member
This would be awesome......
 

Smokey613

Very Senior Member
Mine all look like this:

Mar 15 17:58:57 RT-AC86U-89D0 nextdns[1709]: Connected 162.250.7.137:443 (con=17ms tls=0ms, )
Mar 15 18:03:26 RT-AC86U-89D0 nextdns[1709]: Connected 162.250.7.137:443 (con=18ms tls=37ms, TLS13)
Mar 15 18:05:27 RT-AC86U-89D0 nextdns[1709]: Connected 162.250.7.137:443 (con=17ms tls=38ms, TLS13)
Mar 15 18:08:24 RT-AC86U-89D0 nextdns[1709]: Connected 162.250.7.137:443 (con=17ms tls=37ms, TLS13)
Mar 15 18:08:58 RT-AC86U-89D0 nextdns[1709]: Connected 162.250.7.137:443 (con=17ms tls=48ms, TLS13)
 

MvW

Senior Member
Can you share some sample syslog entries? I can then create a filter for you
I think these are all the flavours I've seen coming by over the last 24 hours.

Code:
Mar 16 05:04:36 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=14ms tls=32ms, TLS13)
Mar 16 05:05:47 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=18ms tls=66ms, TLS13)
Mar 16 05:06:20 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=33ms, TLS13)
Mar 16 05:07:07 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=45ms, TLS13)
Mar 16 05:08:56 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=20ms tls=48ms, TLS13)
Mar 16 05:09:35 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=14ms tls=55ms, TLS13)
Mar 16 05:10:43 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=35ms, TLS13)
Mar 16 05:11:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=32ms, TLS13)
Mar 16 05:12:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=124ms tls=143ms, TLS13)
Mar 16 05:13:25 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=43ms, TLS13)
Mar 16 05:14:36 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=33ms, TLS13)
Mar 16 05:15:44 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=14ms tls=34ms, TLS13)
Mar 16 05:16:16 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=35ms, TLS13)
Mar 16 05:17:27 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=40ms, TLS13)
Mar 16 05:18:48 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=0ms, )
Mar 16 05:20:30 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=12ms tls=34ms, TLS13)
Mar 16 05:22:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=19ms tls=48ms, TLS13)
Mar 16 05:23:12 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=18ms tls=46ms, TLS13)
Mar 16 05:24:03 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=35ms, TLS13)
Mar 16 05:25:51 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=17ms tls=33ms, TLS13)
Mar 16 05:26:25 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=32ms, TLS13)
Mar 16 05:27:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=41ms, TLS13)
Mar 16 05:28:11 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=0ms, )
Mar 16 05:28:46 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=46ms, TLS13)
Mar 16 05:30:00 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=48ms, TLS13)
Mar 16 05:31:13 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=31ms, TLS13)
Mar 16 05:31:56 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=33ms, TLS13)
Mar 16 05:33:42 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=19ms tls=49ms, TLS13)
Mar 16 05:35:51 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=19ms tls=49ms, TLS13)
Mar 16 05:37:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=17ms tls=0ms, )
Mar 16 05:38:20 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=34ms, TLS13)
Mar 16 05:39:37 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=19ms tls=43ms, TLS13)
Mar 16 05:41:19 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=42ms, TLS13)
Mar 16 05:41:50 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=17ms tls=32ms, TLS13)
Mar 16 05:44:06 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=32ms, TLS13)
Mar 16 05:46:50 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=12ms tls=34ms, TLS13)
Mar 16 05:47:44 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=36ms, TLS13)
Mar 16 05:48:18 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=33ms, TLS13)
Mar 16 05:49:56 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=33ms, TLS13)
Mar 16 05:50:53 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=41ms, TLS13)
Mar 16 05:51:56 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=34ms, TLS13)
Mar 16 05:53:14 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=0ms tls=0ms, )
Mar 16 05:54:37 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=47ms, TLS13)
Mar 16 05:56:24 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=34ms, TLS13)
Mar 16 05:58:52 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=44ms, TLS13)
Mar 16 06:00:02 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=37ms, TLS13)
Mar 16 06:02:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=34ms, TLS13)
Mar 16 06:04:14 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=17ms tls=35ms, TLS13)
Mar 16 06:05:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=17ms tls=46ms, TLS13)
Mar 16 06:06:38 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=20ms tls=49ms, TLS13)
Mar 16 06:07:17 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=42ms, TLS13)
Mar 16 06:08:48 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=33ms, TLS13)
Mar 16 06:09:44 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=33ms, TLS13)
Mar 16 06:13:22 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=31ms, TLS13)
Mar 16 06:18:31 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=0ms, )
Mar 16 06:20:24 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=33ms, TLS13)
Mar 16 06:21:51 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=7ms tls=35ms, TLS13)
Mar 16 06:23:36 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=35ms, TLS13)
Mar 16 06:25:02 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=21ms tls=59ms, TLS13)
Mar 16 06:27:58 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=34ms, TLS13)
Mar 16 06:28:52 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=16ms tls=33ms, TLS13)
Mar 16 06:32:06 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=15ms tls=33ms, TLS13)
Mar 16 06:34:10 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=11ms tls=37ms, TLS13)
Mar 16 06:34:45 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=13ms tls=0ms, )
May  5 07:05:26 nextdns[2092]: Starting NextDNS 1.11.0/linux on 127.0.0.1:5342
May  5 07:05:26 nextdns[2092]: Starting mDNS discovery
May  5 07:05:26 nextdns[2092]: Listening on TCP/127.0.0.1:5342
May  5 07:05:26 nextdns[2092]: Listening on UDP/127.0.0.1:5342
May  5 07:05:28 nextdns[2092]: Endpoint provider failed: &{dns.nextdns.io. https://dns.nextdns.io#45.90.28.0,2a07:a8c0::,45.90.30.0,2a07:a8c1::}: exchange: roundtrip: x509: certificate has expired or is not yet valid: current time 2018-05-05T07:05:28+02:00 is before 2021-03-13T23:55:09Z
May  5 07:05:28 nextdns[2092]: Query 192.168.1.35 UDP 65 gateway.icloud.com. (qry=69/res=12) 364ms : doh resolve: x509: certificate has expired or is not yet valid: current time 2018-05-05T07:05:28+02:00 is before 2021-03-13T23:55:09Z
May  5 07:05:29 nextdns[2092]: Endpoint provider failed: &{dns.nextdns.io. https://dns.nextdns.io}: exchange: roundtrip: x509: certificate has expired or is not yet valid: current time 2018-05-05T07:05:29+02:00 is before 2021-03-13T23:55:09Z
May  5 07:05:29 nextdns[2092]: Endpoint failed: https://dns1.nextdns.io#45.90.28.0,2a07:a8c0::: roundtrip: x509: certificate has expired or is not yet valid: current time 2018-05-05T07:05:29+02:00 is before 2021-03-13T23:55:09Z
May  5 07:05:29 nextdns[2092]: Endpoint failed: https://dns2.nextdns.io#45.90.30.0,2a07:a8c1::: roundtrip: x509: certificate has expired or is not yet valid: current time 2018-05-05T07:05:29+02:00 is before 2021-03-13T23:55:09Z
May  5 07:05:29 nextdns[2092]: Switching endpoint: 45.90.28.0:53
May  5 07:05:31 nextdns[2092]: Setting up router
Mar 16 06:37:34 nextdns[2092]: Connected 95.179.134.211:443 (con=14ms tls=33ms, TLS13)
Mar 16 06:37:34 nextdns[2092]: Switching endpoint: https://dns.nextdns.io.#188.172.219.167,2a00:11c0:63:350::3,95.179.134.211,2001:19f0:5001:1faf:5400:2ff:fec8:7d49

If it's not to much to ask, would you be kind to explain what you did? I'd like to learn from it. Am I correct in stating there are always two files needed, one for rotating the log and one for the filter itself?

Edit: I think I missed a few when first pasting the results, so I did it another time. At the end of the list above is reboot, which shows some different output then the usual
Code:
Mar 16 06:21:51 RT-AC86U nextdns[2061]: Connected 95.179.134.211:443 (con=7ms tls=35ms, TLS13)
chatter.


Thanks in advance, i really appreciate your efforts.

Best regards,
Marco
 
Last edited:

elorimer

Very Senior Member
On the what part. Syslog-ng is built around three definitions and a command: a definition of the source of the log messages (which scribe does for you), a filter that defines what messages you are picking out of those messages, a destination of where you are going to send those messages, and a command that says of the messages from this source, select those that meet this filter and send them to that destination. Or, if you don't state a destination, drop them.

All of these messages share one thing: they are logged as coming from the program nextdns. So your filter will be program("nextdns"). Take one of the examples that use a program filter, edit it that way, give the destination file a name too, and save it to the syslog-ng.d directory as nextdns, and reload.

Logrotate runs daily and rotates all the logs in /opt/var/log, and maybe the defaults are enough. If not you can specify your own parameters in a file in /opt/etc/logrotate.d. If you are dropping the messages, of course, you don't need to do anything.
 

MvW

Senior Member
So, like this: (I used the pixelserv example)?

Code:
# log all nextdns logs to /opt/var/log/nextdns.log and stop processing nextdns logs

destination d_nextdns {
    file("/opt/var/log/nextdns.log");
};

filter f_nextdns {
    program("nextdns");
};

log {
    source(src);
    filter(f_nextdns);
    destination(d_nextdns);
    flags(final);
};

#eof

I've done this simply by search and replace in all honesty. The one thing I don't yet get is the line

Code:
and stop processing nextdns logs

Which part in the filter above stops the output of NextDNS log to syslog/messages?
 
Last edited:

elorimer

Very Senior Member
So, like this: (I used the pixelserv example)?

Code:
# log all nextdns logs to /opt/var/log/nextdns.log and stop processing nextdns logs

destination d_nextdns {
    file("/opt/var/log/nextdns.log");
};

filter f_nextdns {
    program("nextdns");
};

log {
    source(src);
    filter(f_nextdns);
    destination(d_nextdns);
    flags(final);
};

#eof

I've done this simply by search and replace in all honesty. The one thing I don't yet get is the line

Code:
and stop processing nextdns logs

Which part in the filter above stops the output of NextDNS log to syslog/messages?
Looks good to me. Now you are a pro!

When you have scribe reload the configuration, it will tell you that it is running. It is a good idea to immediately have scribe check the status to be sure.

The part of the command that stops further processing is the "flags(final)". Scribe is based on a waterfall idea: messages are tested with each configuration file in syslog-ng.d, in alphabetic order. If a message satisfies a filter, it is sent to the destination and then that message isn't processed anymore. If it doesn't satisfy a filter, it goes on to the next filter. If it hasn't met any filter, it drops down to messages. If you were to take out that flag, after being sent to the destination it would be sent on to the next filter. That's how you can send all your messages to a remote log, and then continue to send them to the local log.
 

MvW

Senior Member
It is a good idea to immediately have scribe check the status to be sure.

Ehrm, I haven't had the guts yet to try it out, I was awaiting your or Jacks reply for approval.

How do I let scribe check the status?
 

elorimer

Very Senior Member
From the command line, type scribe.
From the menu, (from memory) one command is reload configuration, and another is check status.
 

Jack Yaz

Part of the Furniture
Ehrm, I haven't had the guts yet to try it out, I was awaiting your or Jacks reply for approval.

How do I let scribe check the status?
sorry, work got in the way (yay for big problems!)
your filter looks exactly what i was going to produce, good job!
 

MvW

Senior Member
Well, I've copied the filter and the logrotate file to the appropriate directories. For logrotate I also used the pixelserv example, which now looks like this:

Code:
/opt/var/log/nextdns.log {
    minsize 1024K
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I reloaded scribe and let it check it's own status, which shows no errors, so it seems like everything worked out.

Code:
[email protected]:/tmp/home/root# scribe
                            _
                         _ ( )
       ___    ___  _ __ (_)| |_      __
     /',__) /'___)( '__)| || '_`\  /'__`\
     \__, \( (___ | |   | || |_) )(  ___/
     (____/`\____)(_)   (_)(_,__/'`\____)
     syslog-ng and logrotate installation
     v2.4_3 (master)  Coded by cynicastic

 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

     s.    Show scribe status
     rl.   Reload syslog-ng.conf
     lr.   Run logrotate now
     rs.   Restart syslog-ng
     st.   Stop syslog-ng & logrotate cron

     u.    Update scribe
     uf.   Update filters
     su.   scribe utilities
     e.    Exit scribe

     is.   Reinstall scribe
     zs.   Remove scribe

 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

 Please select an option: rl
 reloading syslog-ng.conf ... Config reload successful

 Restarting uiScribe ...            done.
 Press [Enter] to continue:
                            _
                         _ ( )
       ___    ___  _ __ (_)| |_      __
     /',__) /'___)( '__)| || '_`\  /'__`\
     \__, \( (___ | |   | || |_) )(  ___/
     (____/`\____)(_)   (_)(_,__/'`\____)
     syslog-ng and logrotate installation
     v2.4_3 (master)  Coded by cynicastic

 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

     s.    Show scribe status
     rl.   Reload syslog-ng.conf
     lr.   Run logrotate now
     rs.   Restart syslog-ng
     st.   Stop syslog-ng & logrotate cron

     u.    Update scribe
     uf.   Update filters
     su.   scribe utilities
     e.    Exit scribe

     is.   Reinstall scribe
     zs.   Remove scribe

 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

 Please select an option: s

      checking syslog-ng daemon ... alive.

 checking system for necessary scribe hooks ...

          checking S01syslog-ng ... present.
         checking service-event ... present.
            checking post-mount ... present.
               checking unmount ... present.
    checking logrotate cron job ... present.
       checking directory links ... present.

 checking syslog-ng configuration ...

   syslog-ng.conf version check ... in sync. (3.29)
    syslog-ng.conf syntax check ... okay!

          scribe installed version: v2.4_3 (master)
             scribe GitHub version: v2.4_3 (master)
                    scribe is up to date!

 Press [Enter] to continue:

No errors, so I'm curious to see how this works out.

One more question (for now): is there a repository anywhere on the forum with more examples? I found some made by @Butterfly Bones if I recall correctly, but these were only filters.

To anyone interested, I've attached the files (remember, they have to prove yet that they're actually doing what they're supposed to do). To use them, copy them to their respective directories on your router (see filenames) using WinSCP, or FileZilla or any other program of your choice, rename them (remove everything after nextdns including the underscore directly following until and include the .txt at the end, so your left with the file nextdns and change permissions using

Code:
chmod 600 /opt/etc/syslog-ng.d/nextdns
Code:
chmod 600 /opt/etc/logrotate.d/nextdns

Make sure you put the right file in the right directory :D

Then follow the steps above to reload syslog-ng config and check the status as advised by @elorimer.
 

Attachments

  • nextdns_place_this_file_in_opt_etc_logrotate.d.txt
    139 bytes · Views: 39
  • nextdns_place_this_file_in_opt_etc_syslog.d.txt
    299 bytes · Views: 38

MvW

Senior Member
Eureka, it works :D. I had to reboot because the nextdns log stayed empty, but after a reboot it got filled immediately. The only thing I notice is that the lines before ntpd has synced are not in the nextdns log, while the timestamps still shows the hardcoded time, but maybe there's a logical explanation for that?
 

elorimer

Very Senior Member
The only thing I notice is that the lines before ntpd has synced are not in the nextdns log, while the timestamps still shows the hardcoded time, but maybe there's a logical explanation for that?
Yes, so entware doesn't start until after ntpd has synced, so syslog-ng hasn't kicked in to replace syslogd. Until that point the firmware is sending log messages through syslogd to /tmp/syslog.log. That includes all the messages logged before syslog-ng starts.

As scribe is configured, when it starts, it appends all those syslog.log messages to the messages file. They are easy to spot because they have the May 5 date, and there is a message that syslogd and klogd have stopped, and syslog-ng has started. From that point any new messages are filtered by syslog-ng. So if nextdns is logging messages before syslog-ng takes over, they end gup in messages rather than in your custom file.

I do it differently. When syslog-ng starts, I put all those syslog.log messages into a different file, and then I pour that file through syslog-ng before anything else. That gives all my log messages a timestamp starting at the time syslog-ng started but in order, and filters them all from the beginning.
 

MvW

Senior Member
Yes, so entware doesn't start until after ntpd has synced, so syslog-ng hasn't kicked in to replace syslogd. Until that point the firmware is sending log messages through syslogd to /tmp/syslog.log. That includes all the messages logged before syslog-ng starts.

As scribe is configured, when it starts, it appends all those syslog.log messages to the messages file. They are easy to spot because they have the May 5 date, and there is a message that syslogd and klogd have stopped, and syslog-ng has started. From that point any new messages are filtered by syslog-ng. So if nextdns is logging messages before syslog-ng takes over, they end gup in messages rather than in your custom file.

I do it differently. When syslog-ng starts, I put all those syslog.log messages into a different file, and then I pour that file through syslog-ng before anything else. That gives all my log messages a timestamp starting at the time syslog-ng started but in order, and filters them all from the beginning.

I expected it to be something like that. Your solution, is that's something that's easy to achieve or is it to advanced for a novice syslog-ng rookie like yours truly?
 

MvW

Senior Member
I do it differently. When syslog-ng starts, I put all those syslog.log messages into a different file, and then I pour that file through syslog-ng before anything else. That gives all my log messages a timestamp starting at the time syslog-ng started but in order, and filters them all from the beginning.

@elorimer Can you teach me how to set it up your way, because I see messages slipping through the cracks because the filters aren't in place or active yet and I would like to learn how to get them all in the appropriate files.
 

elorimer

Very Senior Member
I'm not recommending it, necessarily. Among other things, anytime scribe is updated (which it hasn't in a while), it overwrites this. You also might have to change the default queue length, depending on how many messages your boot generates. And it has been "tested" (if you can call it that) by a sample size of, um, one.

 
  • Like
Reactions: MvW

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top