syslog-ng is a replacement for syslog and about 15 dozen little scripts that we’ve all written over the years to make syslog work the way we want. One of the most sought after features is the ability to create per host log files on a central syslog-ng server. With standard syslog it was possible to send logs from other machines over the network to a central collector, but they all arrived into a single file. You either had to parse that file with a script later on to get the host that you wanted or you had to run a usually intensive search and sort process to break out the data into individual logs. syslog-ng has native support for dumping individual remote syslog streams into their own file real time. I wont go into the hows and whys of the syslog-ng.conf file, it’s pretty complex, but if you paste the following code snippit into your conf file and restart syslog, you will get a new log file created in /var/log/HOSTS/ with the hostname or IP (depending on your global config) for each host that sends syslog data to your collector.
source s_udp { udp(); };
destination d_udp { file(“/var/log/HOSTS/$HOST”); };
log { source(s_udp); destination(d_udp); };
Note that this is assuming standard syslog clients dumping to this server over good old udp. If you have syslog-ng hosts dumping to this server, you can configure them to use tcp instead, but I leave that to you.