Managing logs

Gaddis, Jeremy L. jeremy at linuxwiz.net
Mon Jan 8 17:38:08 UTC 2007 

On 1/8/07, John O'Loughlin <j.oloughlin at qmul.ac.uk> wrote:
> You can have one machine with syslog accepting remote loging --
> edit /etc/sysconfg/syslog
> with SYSLOGD_OPTIONS="-r -m 0"
>
> these boxes will now send there logs to loghost. you can also then install
> swatch on loghost

Agreed.  This is the "best way", IMO.  It's what I use for my
switches, routers, and tens of Linux-based servers.  With syslog-ng,
you can even "organize" your logs on that single loghost.

For example (some output snipped):

# ls -l /var/log/HOSTS/
drwxr-xr-x  4 root root 4096 2006-12-31 23:00 bladm03
drwxr-xr-x  4 root root 4096 2006-12-31 23:01 blremote
drwxr-xr-x  4 root root 4096 2006-12-31 23:00 blwww1
drwxr-xr-x  4 root root 4096 2006-12-31 23:00 blwww2
drwxr-xr-x  3 root root 4096 2006-05-11 10:08 cerberus
drwxr-xr-x  4 root root 4096 2007-01-01 00:01 er1d-1
drwxr-xr-x  5 root root 4096 2007-01-01 00:00 er2b-1
drwxr-xr-x  4 root root 4096 2007-01-01 00:00 er2b-2
drwxr-xr-x  4 root root 4096 2007-01-01 02:02 er2b-3
drwxr-xr-x  4 root root 4096 2007-01-01 01:49 er2b-4
drwxr-xr-x  4 root root 4096 2006-12-31 23:05 hermes
drwxr-xr-x  4 root root 4096 2006-12-31 23:06 hospital-vpn-pix
drwxr-xr-x  4 root root 4096 2006-12-31 23:00 hp9304m
drwxr-xr-x  4 root root 4096 2006-12-31 23:00 hp9308m
drwxr-xr-x  3 root root 4096 2007-01-07 23:47 jlgaddis-dl580
drwxr-xr-x  4 root root 4096 2007-01-03 14:13 jlgaddis-hp2650
drwxr-xr-x  3 root root 4096 2006-05-11 09:15 jlgaddis-rhel-b
drwxr-xr-x  4 root root 4096 2006-12-31 23:12 prometheus
drwxr-xr-x  4 root root 4096 2007-01-01 06:08 tr1b-1
drwxr-xr-x  4 root root 4096 2007-01-01 02:20 tr1b-2
drwxr-xr-x  4 root root 4096 2007-01-01 02:32 tr1b-3
drwxr-xr-x  4 root root 4096 2007-01-01 00:00 tr1c-1
drwxr-xr-x  4 root root 4096 2007-01-01 05:34 tr1c-2
drwxr-xr-x  4 root root 4096 2007-01-01 05:10 tr1c-3
drwxr-xr-x  4 root root 4096 2007-01-01 04:32 tr2c-1
drwxr-xr-x  4 root root 4096 2007-01-01 00:00 tr2c-2
drwxr-xr-x  4 root root 4096 2007-01-01 07:26 tr2c-3

# ls -l /var/log/HOSTS/hospital-vpn-pix/
drwxr-xr-x  10 root root 4096 2006-11-30 23:07 2006
drwxr-xr-x   3 root root 4096 2006-12-31 23:06 2007

# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/
drwxr-xr-x  23 root root 4096 2006-05-30 23:00 05
drwxr-xr-x  32 root root 4096 2006-06-29 23:01 06
drwxr-xr-x  33 root root 4096 2006-07-30 23:03 07
drwxr-xr-x  33 root root 4096 2006-08-30 23:07 08
drwxr-xr-x  32 root root 4096 2006-09-29 23:00 09
drwxr-xr-x  33 root root 4096 2006-10-31 07:44 10
drwxr-xr-x  32 root root 4096 2006-11-29 23:07 11
drwxr-xr-x  33 root root 4096 2006-12-30 23:03 12

# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/12/
drwxr-xr-x  2 root root 4096 2006-11-30 23:07 01
drwxr-xr-x  2 root root 4096 2006-12-01 23:07 02
drwxr-xr-x  2 root root 4096 2006-12-02 23:07 03
drwxr-xr-x  2 root root 4096 2006-12-03 23:07 04

# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/12/31/
-rw-r-----  1 root cts 13025 2006-12-31 22:56 local4.2006-12-31

Lots of output there, but I was trying to show that each device that's
logging to the central syslog server gets its own directory under
/var/log/HOSTS/, and the logs are further subdivided under there in
directories based upon the year, the month, and the day.

These individual logs are then imported nightly into a SQL database
for further analysis, but that's another topic.

HTH,
-j

-- 
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/

More information about the redhat-list mailing list