If you work in the SysAdmin field, sooner or later you will have to deal with system logs. In this article, I will explain how to configure the Syslog-ng daemon. You may have heard of it since it is indicated in the Gentoo installation guide. The first thing to keep in mind is that there are facilities and log levels, which could be considered categories and subcategories.

Facilities: local0, local1, local2, local3, local4, local5, local6, local7, cron, daemon, kern, mail, auth, authpriv, ftp, lpr, mark, news, ntp, user, uucp
Log levels: emerg, alert, crit, err, warning, notice, info, debug

In this example, we will configure the ssh logs. To do this, we generate the log file:

We will make ssh do logging with local1 and INFO:

SyslogFacility LOCAL1
LogLevel INFO

In syslog, we first define the destination:

destination ssh { file("/var/log/ssh.log"); };

We configure a filter:

filter f_ssh { facility(local1) and level(info); };

We associate the filter with the destination:

log { source(src); filter(f_ssh); destination(ssh); };

Everything that matches the filter ends up in the appropriate file ;)

We could create more advanced filters like these:

filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_mail { facility(mail); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_ssh { facility(local1) and level(info); };
filter f_resto { not facility(local1, auth, authpriv, news, mail,); };

This is a basic configuration example, but I think it is clear enough to be a starting point for more complex configurations. Keep in mind that facilities and log levels are configured differently for each daemon.