Logs are for program what speech is to human.
People says what’s wrong (most of the time ;), program log it.
Here’s how I use syslog-ng to get a central syslog system.

Installation

Syslog-NG is available as a binary package:

# pkg_add http://ftp.fr.openbsd.org/pub/OpenBSD/4.8/packages/amd64/syslog-ng-3.1.1p0.tgz

Replace syslogd with syslog-ng:

# vi /etc/rc
#syslogd ${syslogd_flags}
ldconfig /usr/local/lib
syslogng_flags=""
/usr/local/sbin/syslog-ng ${syslogng_flags}

# vi /etc/rc.conf.local
syslogng_flags=""

# crontab -e
#0      *       *       *       *       /usr/bin/newsyslog

Configuration

Create the directory that will host the logs:

# mkdir /home/log

Edit the configuration file:

# mkdir -p /home/log/etc/syslog-ng/
# vi /etc/syslog-ng/syslog-ng.conf
@version: 3.0

options {
        create_dirs(yes);
        perm(0644);
        dir_perm(0755);
        chain_hostnames(no);
        use_dns(yes);
        dns_cache(yes);
        dns_cache_size(64);
};

source logs {
        internal();
        udp(port (514));
        unix-dgram ("/dev/log");
        unix-dgram ("/var/empty/dev/log");
        unix-dgram ("/var/named/dev/log");
        unix-dgram ("/var/www/dev/log");
};

destination application { file("/home/log/$HOST/$PROGRAM/$YEAR$MONTH$DAY"); };
destination messages    { file("/home/log/$HOST/messages/$YEAR$MONTH$DAY"); };
destination postfix     { file("/home/log/$HOST/postfix/$YEAR$MONTH$DAY"); };

filter postfix          { program("postfix"); };

log { source(logs); filter(postfix); destination(postfix); flags(final); };
log { source(logs); destination(application); flags(final); };
log { source(logs); destination(messages); };

When syslog-ng is running, just delete what’s in /var/log.

That’s All Folks!