Setting up centralized logging

Kenneth Holter kenneho.ndu at
Thu Jan 15 08:43:58 UTC 2009

Thanks for the outline of your setup.

I'm a bit tempted to go for rsyslog actually, since it's already included in
the RHN repository.

Are there any shortcomings of rsyslog that I should be aware of? I've read
that the config file may be more messy than syslog-ng, but that's pretty
much it.

On 1/14/09, m.roth2006 at <m.roth2006 at> wrote:
> Kenneth,
> >Date: Wed, 14 Jan 2009 15:42:22 +0100
> >From: "Kenneth Holter" <kenneho.ndu at>
> >
> >We're planning on setting up centralized logging for our RHEL systems, and
> >have to decide on applications to use for collecting logs and analyzing
> >them.
> >Most of our systems are running RHEL, so we're looking for software that
> is
> >supported on this platform.
> >
> >The first issue would be to decide on which syslog implementation to use,
> >and "syslog-ng" seems to be very popular. Will this be included in EPEL or
> >such in near future?
> >Are there better options than syslog-ng?
> How *very* odd - at work, last week, we were just deciding on this, and
> setting it up. Anyway, my manager decided on syslog-ng, which has been
> around a long time, although I understand that rsyslog is coming in as the
> standard with CentOS.
> What we did was to set up one syslog server with syslog-ng. All the other
> servers were left with the stock syslog, which does allow you to specify
> that a copy of the log should also be sent to a remote server.
> For example, in the /etc/syslog.conf, for the std. syslog, you add:
> *.info;mail.none;;cron.none;kern.debug;daemon.err @<syslog
> server name>
> Then, on the syslog server, as I said, we put in syslog-ng. In its
> configuration file, I separated remote servers (and tcp and udp incoming
> logs), and then set up filters and destinations in
> <path>/<hostname><YYYYMMDD>/<logs>
> Setting up filters turned out to be incredibly easy. One post I found very
> helpful was
> <>
> In my case, I used facility(secure) and match(strings I wanted), and dumped
> them in separate destinations.
> >
> >After collecting the syslog data, we'll need to analyze them. Swatch and
> >are two options, as well as logwatch. The latter doesn't monitor in real
> >time, so I guess this one is out of the picture. Feedback on Swatch and
> SEC,
> >as well as other good options, is appreciated.
> <snip>
> Let us know how it goes. I'd be interested in knowing what you use.
>      mark
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at

More information about the redhat-list mailing list