# syslog.conf selection by ident



## quicktrick (May 23, 2018)

I have not found anywhere in the docs how to make selections from _syslog_ by _ident_.  

I use chrooted _Unbound_ and I've configured it to write its log to _syslog_.


> *use-syslog: *_<yes_ _or_ _no>_
> Sets unbound to send log messages to  the  syslogd,  using  _syslog()_.
> The  log  facility  LOG_DAEMON  is used, with identity
> "unbound".  The logfile setting is overridden when use-syslog is
> turned on.  The default is to log to syslog.



I've found in syslog.conf() an example how to select records from _syslog_ by program name:

```
!unbound
*.*    /var/log/unbound.log
!*
```

But there is also a notice


> It is preferred that selections be made
> on    _facility_ rather    than _program_, since the    latter can easily vary in a
> networked environment.  In    some cases, though, an appropriate _facility_
> simply does not exist.



After some experiments I found that the following entry works as selector by identity (_ident_), instead of the previous code:

```
daemon.*.unbound    /var/log/unbound.log
```

I'm not quite sure in the correctness of its syntax, but it works fine.  I just wonder why this feature is not described  anywhere in the documentation?


----------



## ShelLuser (May 23, 2018)

As usual there are more solutions to a problem. However, I agree that this can be a little confusing to read at first. Been there, had that happen to myself as well.

If you want to use the identity you'd normally use something like:


```
# Package management
!pkg,pkg-static
*.*                                             /var/log/pkg.log
```
Now, the problem with all this is that your syslog.conf normally starts with several global entries which only care about the priority of the messages and not so much the identity. For example:


```
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit    /var/log/messages
```
Do note that I have edited this entry and it no longer matches the default.

Still, my point here is that if you have a message mapped as unbound.notice (or higher) then this would end up in /var/log/messages and not so much any of your other optional entries. As said above there are more ways to solve this, but I personally prefer something like:


```
!-imap,named,pkg-static,pkg
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit    /var/log/messages
```
... at the start. This tells syslog that it should (temporarily) ignore any entries with these identities. Then, later in my config, I'm using this:


```
# Bind logging
!named
*.*                                             /var/log/named.log
!*
local1.*                                        /var/log/named.log
```
First I'm fully including named and I log everything to /var/log/named.conf. Then I include everything else (the !*) and separate my further entries accordingly. The PKG example I showed above is actually placed below this section for obvious reasons.

So this would also be my recommendation. First disable unbound by using !-unbound, then re-enable it later in your config file.


----------



## quicktrick (May 23, 2018)

ShelLuser said:


> If you want to use the identity you'd normally use something like:
> 
> ```
> # Package management
> ...



I'm sorry, ShelLuser, but, I'm afraid, "!pkg" is not an identity. As described in syslog.conf():


> A _program_ specification is    a line beginning with `#!prog' or `!prog' (the
> former is for compatibility with the previous syslogd, if one is sharing
> *syslog.conf* files,    for example) and the following blocks will be associ-
> ated with calls to    syslog(3) from that specific program.  A _program_ spec-
> ...


We can find some decription of identity (_ident_) in syslog():


> The *openlog*() function provides for more specialized processing of    the
> messages sent by *syslog*() and *vsyslog*().  The _ident_ argument is a string
> that will be prepended to every message.


What's more, there is another option in unbound.conf concerning the identity:


> *log-identity: *_<string>_
> If  "" is given (default), then the name of the executable, usu-
> ally "unbound" is used to report to the log.  Enter a string  to
> override  it with that, which is useful on systems that run more
> ...


So, if you have e.g. two instances of Unbound with different identities and you want to send their logs to different files, you have to select their log records by their corresponding identities, not by the program name.


----------



## ShelLuser (May 23, 2018)

When I'm mentioning identity I am referring to the program identity. We're talking about the same things. Just check /var/log/messages and you'll see _exactly_ what I mean. Also see that same syslog.conf(5) you mentioned.

This is also how Unbound will manifest itself. If you would have checked the logfiles you'd have noticed as much.


----------



## quicktrick (May 23, 2018)

I'm sorry again, ShelLuser, but I think you are wrong in this case.  Please, read carefully my above messages.


----------



## ShelLuser (May 23, 2018)

I'm not going to bother. I gave you a working example how you can filter these messages, the example for pkg simply works, so if you think I'm wrong about that without being capable of actually backing this up with facts then that's your problem.


----------

