# Example configuration file for syslog-ng
# The default s_src source is supposed to exist and contain at least system()
# This file should be copied to your /etc/syslog-ng/conf.d directory
#
# Don't forget to logrotate! (included in logrotate.d/bastion-syslog)
#
# Also don't forget to exclude bastion logs from system-wide logs, by excluding
# the filter(f_bastion) from those, under debian it usually means:
#
# filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug) and not filter(f_bastion); };
# filter f_messages { level(info,notice,warn) and
#                    not facility(auth,authpriv,cron,daemon,mail,news) and not filter(f_bastion); };


# we define destinations, might be a good idea to log to a remote syslog in addition to locally

destination d_bastion_all {
    file("/var/log/bastion/bastion.log"
        perm(0640) dir_perm(0750) create_dirs(yes)
    );
};

destination d_bastion_warn {
    file("/var/log/bastion/bastion-warn.log"
        perm(0640) dir_perm(0750) create_dirs(yes)
    );
};

destination d_bastion_die {
    file("/var/log/bastion/bastion-die.log"
        perm(0640) dir_perm(0750) create_dirs(yes)
    );
};

destination d_bastion_security {
    file("/var/log/bastion/bastion-security.log"
        perm(0640) dir_perm(0750) create_dirs(yes)
    );
};

# this filter catches all bastion syslogs

filter f_bastion {
    facility(local7);
    match("bastion" value("PROGRAM") type("string"));
};

# split message just to get the msgtype and filter on it

parser p_bastion_msg {
    csv-parser(columns("BASTION.MSGTYPE", "BASTION.PAYLOAD")
        delimiters(" ")
        flags(greedy)
        flags(escape-none)
    );
};

# then the 3 specific message types

filter f_bastion_warn {
    filter(f_bastion);
    match("warn" value("BASTION.MSGTYPE") type("string"));
};

filter f_bastion_die {
    filter(f_bastion);
    match("die" value("BASTION.MSGTYPE") type("string"));
};

filter f_bastion_security {
    filter(f_bastion);
    match("security" value("BASTION.MSGTYPE") type("string"));
};

# finally, we use our filters and destinations here

log {
    source(s_src);
    parser(p_bastion_msg);
    filter(f_bastion);
    destination(d_bastion_all);
};

log {
    source(s_src);
    parser(p_bastion_msg);
    filter(f_bastion_warn);
    destination(d_bastion_warn);
};

log {
    source(s_src);
    parser(p_bastion_msg);
    filter(f_bastion_die);
    destination(d_bastion_die);
};

log {
    source(s_src);
    parser(p_bastion_msg);
    filter(f_bastion_security);
    destination(d_bastion_security);
};