system: Collect the system-specific log messages of a platform

Starting with version 3.2, AxoSyslog can automatically collect the system-specific log messages of the host on a number of platforms using the system() driver. If the system() driver is included in the AxoSyslog configuration file, AxoSyslog automatically adds the following sources to the AxoSyslog configuration.

Note AxoSyslog versions 3.2-3.3 used an external script to generate the system() source, but this was problematic in certain situations, for example, when the host used a strict AppArmor profile. Therefore, the system() source is now generated internally in AxoSyslog.

The system() driver is also used in the default configuration file of AxoSyslog. For details on the default configuration file, see Example: The default configuration file of [%=General.OSE%]. Starting with AxoSyslog version 3.6, you can use the system-expand command-line utility (which is a shell script, located in the modules/system-source/ directory) to display the configuration that the system() source will use.

Warning If AxoSyslog does not recognize the platform it is installed on, it does not add any sources.

Starting with version 3.6, AxoSyslog parses messages complying with the Splunk Common Information Model (CIM) and marked with @cim as JSON messages (for example, the ulogd from the netfilter project can emit such messages). That way, you can forward such messages without losing any information to CIM-aware applications (for example, Splunk).

Sources automatically added by AxoSyslog
Platform	Message source
AIX	`unix-dgram("/dev/log");`
FreeBSD	`unix-dgram("/var/run/log");` `unix-dgram("/var/run/logpriv" perm(0600));` `file("/dev/klog" follow-freq(0) program-override("kernel") flags(no-parse));` For FreeBSD versions earlier than 9.1, `follow-freq(1)` is used.
GNU/kFreeBSD	`unix-dgram("/var/run/log");` `file("/dev/klog" follow-freq(0) program-override("kernel"));`
HP-UX	`pipe("/dev/log" pad-size(2048));`
Linux	Note that on Linux, the `so-rcvbuf()` option of the `system()` source is automatically set to 8192. If the host is running under systemd, AxoSyslog reads both syslog and kernel messages directly from the systemd journal file using the `systemd-journal()` source. In this case, AxoSyslog doesn't read from `/dev/log` nor `/proc/kmsg`. If the kernel of the host is version 3.5 or newer, and `/dev/kmsg` is seekable, AxoSyslog will use that instead of `/proc/kmsg`, using the `multi-line-mode(indented)`, `keep-timestamp(no)`, and the `format(linux-kmsg)` options. If AxoSyslog is running in a jail or a Linux Container (LXC), it will not read from the `/dev/kmsg` or `/proc/kmsg` files. With systemd: `systemd-journal();` Without systemd, on kernel 3.5 or newer: `unix-dgram("/dev/log"); file("/dev/kmsg" program-override("kernel") flags(kernel) format("linux-kmsg") keep-timestamp(no));` Without systemd, on kernels older than 3.5: `unix-dgram("/dev/log"); file("/proc/kmsg" program-override("kernel") flags(kernel) keep-timestamp(no));`
macOS	`file("/var/log/system.log" follow-freq(1));` Note Starting with version 3.7, the AxoSyslog`system()` driver automatically extracts the msgid from the message (if available), and stores it in the `.solaris.msgid` macro. To extract the msgid from the message without using the `system()`driver, use the `extract-solaris-msgid()` parser. You can find the exact source of this parser in the AxoSyslog GitHub repository.
NetBSD	`unix-dgram("/var/run/log");` Note Starting with version 3.7, the AxoSyslog`system()` driver automatically extracts the msgid from the message (if available), and stores it in the `.solaris.msgid` macro. To extract the msgid from the message without using the `system()`driver, use the `extract-solaris-msgid()` parser. You can find the exact source of this parser in the AxoSyslog GitHub repository.
Solaris 8	`sun-streams("/dev/log");` Note Starting with version 3.7, the AxoSyslog`system()` driver automatically extracts the msgid from the message (if available), and stores it in the `.solaris.msgid` macro. To extract the msgid from the message without using the `system()`driver, use the `extract-solaris-msgid()` parser. You can find the exact source of this parser in the AxoSyslog GitHub repository.
Solaris 9	`sun-streams("/dev/log" door("/etc/.syslog_door"));` Note Starting with version 3.7, the AxoSyslog`system()` driver automatically extracts the msgid from the message (if available), and stores it in the `.solaris.msgid` macro. To extract the msgid from the message without using the `system()`driver, use the `extract-solaris-msgid()` parser. You can find the exact source of this parser in the AxoSyslog GitHub repository.
Solaris 10	`sun-streams("/dev/log" door("/var/run/syslog_door"));` Note Starting with version 3.7, the AxoSyslog`system()` driver automatically extracts the msgid from the message (if available), and stores it in the `.solaris.msgid` macro. To extract the msgid from the message without using the `system()`driver, use the `extract-solaris-msgid()` parser. You can find the exact source of this parser in the AxoSyslog GitHub repository.

system() source options

Last modified December 18, 2024: Merge pull request #90 from axoflow/minor-fixes-241218 (68cd7df)