Managing logs
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Mon Jan 8 17:38:08 UTC 2007
On 1/8/07, John O'Loughlin <j.oloughlin at qmul.ac.uk> wrote:
> You can have one machine with syslog accepting remote loging --
> edit /etc/sysconfg/syslog
> with SYSLOGD_OPTIONS="-r -m 0"
>
> these boxes will now send there logs to loghost. you can also then install
> swatch on loghost
Agreed. This is the "best way", IMO. It's what I use for my
switches, routers, and tens of Linux-based servers. With syslog-ng,
you can even "organize" your logs on that single loghost.
For example (some output snipped):
# ls -l /var/log/HOSTS/
drwxr-xr-x 4 root root 4096 2006-12-31 23:00 bladm03
drwxr-xr-x 4 root root 4096 2006-12-31 23:01 blremote
drwxr-xr-x 4 root root 4096 2006-12-31 23:00 blwww1
drwxr-xr-x 4 root root 4096 2006-12-31 23:00 blwww2
drwxr-xr-x 3 root root 4096 2006-05-11 10:08 cerberus
drwxr-xr-x 4 root root 4096 2007-01-01 00:01 er1d-1
drwxr-xr-x 5 root root 4096 2007-01-01 00:00 er2b-1
drwxr-xr-x 4 root root 4096 2007-01-01 00:00 er2b-2
drwxr-xr-x 4 root root 4096 2007-01-01 02:02 er2b-3
drwxr-xr-x 4 root root 4096 2007-01-01 01:49 er2b-4
drwxr-xr-x 4 root root 4096 2006-12-31 23:05 hermes
drwxr-xr-x 4 root root 4096 2006-12-31 23:06 hospital-vpn-pix
drwxr-xr-x 4 root root 4096 2006-12-31 23:00 hp9304m
drwxr-xr-x 4 root root 4096 2006-12-31 23:00 hp9308m
drwxr-xr-x 3 root root 4096 2007-01-07 23:47 jlgaddis-dl580
drwxr-xr-x 4 root root 4096 2007-01-03 14:13 jlgaddis-hp2650
drwxr-xr-x 3 root root 4096 2006-05-11 09:15 jlgaddis-rhel-b
drwxr-xr-x 4 root root 4096 2006-12-31 23:12 prometheus
drwxr-xr-x 4 root root 4096 2007-01-01 06:08 tr1b-1
drwxr-xr-x 4 root root 4096 2007-01-01 02:20 tr1b-2
drwxr-xr-x 4 root root 4096 2007-01-01 02:32 tr1b-3
drwxr-xr-x 4 root root 4096 2007-01-01 00:00 tr1c-1
drwxr-xr-x 4 root root 4096 2007-01-01 05:34 tr1c-2
drwxr-xr-x 4 root root 4096 2007-01-01 05:10 tr1c-3
drwxr-xr-x 4 root root 4096 2007-01-01 04:32 tr2c-1
drwxr-xr-x 4 root root 4096 2007-01-01 00:00 tr2c-2
drwxr-xr-x 4 root root 4096 2007-01-01 07:26 tr2c-3
# ls -l /var/log/HOSTS/hospital-vpn-pix/
drwxr-xr-x 10 root root 4096 2006-11-30 23:07 2006
drwxr-xr-x 3 root root 4096 2006-12-31 23:06 2007
# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/
drwxr-xr-x 23 root root 4096 2006-05-30 23:00 05
drwxr-xr-x 32 root root 4096 2006-06-29 23:01 06
drwxr-xr-x 33 root root 4096 2006-07-30 23:03 07
drwxr-xr-x 33 root root 4096 2006-08-30 23:07 08
drwxr-xr-x 32 root root 4096 2006-09-29 23:00 09
drwxr-xr-x 33 root root 4096 2006-10-31 07:44 10
drwxr-xr-x 32 root root 4096 2006-11-29 23:07 11
drwxr-xr-x 33 root root 4096 2006-12-30 23:03 12
# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/12/
drwxr-xr-x 2 root root 4096 2006-11-30 23:07 01
drwxr-xr-x 2 root root 4096 2006-12-01 23:07 02
drwxr-xr-x 2 root root 4096 2006-12-02 23:07 03
drwxr-xr-x 2 root root 4096 2006-12-03 23:07 04
# ls -l /var/log/HOSTS/hospital-vpn-pix/2006/12/31/
-rw-r----- 1 root cts 13025 2006-12-31 22:56 local4.2006-12-31
Lots of output there, but I was trying to show that each device that's
logging to the central syslog server gets its own directory under
/var/log/HOSTS/, and the logs are further subdivided under there in
directories based upon the year, the month, and the day.
These individual logs are then imported nightly into a SQL database
for further analysis, but that's another topic.
HTH,
-j
--
Jeremy L. Gaddis, MCP, GCWN
http://www.linuxwiz.net/
More information about the redhat-list
mailing list