LinuxQuestions.org - best way to implement syslog

- Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)

- - best way to implement syslog (https://www.linuxquestions.org/questions/linux-general-1/best-way-to-implement-syslog-535987/)

best way to implement syslog

I have a SLES server here that I configured a while ago to act as a syslog server. We log all events from all of our firewalls and recently added one windows server's events as well.

I configured syslog.conf to use a facility for each device that was sending events. This allows me to put each device's logs into its own "livelogs" file which is rolled hourly using a script I wrote into a file with a time/date stamp as well as the device name:
local0.* -/var/log/localmessages
local2.* -/var/log/localmessages
local1.* -/var/log/PIX/livelogs_Firewall1
local4.* -/var/log/PIX/livelogs_Firewall2
local5.* -/var/log/WIN/livelogs_Windowsbox
local6.* -/var/log/PIX/livelogs_Firewall3
local7.* -/var/log/PIX/livelogs_Firewall4

This isnt very scalable though as it limited me to 8 devices sending messages to this server and I *think* that these localX's were being used for local system logging already, before I made them log remote events (I dont have a solid understanding of how syslog works though so this might be inaccurate). Are the localX facilities reserved for receiving syslogs from remote locations or are they sometimes/always/often/optionally used locally for logging one thing or another?

If I have 2 NICs on this server, can I have 8 facilities available on each? Allowing me to log 16 remote devices to this server? How would I configure that? How would "bind" one syslog daemon to one int and another to the other int?

What is best practice and/or what do you do for a syslog server? one thought I had was to send everything to one facility and then when my script runs on the hour rolling over the livelogs files, it could possibly also sort one massive syslog file based on the device that sent the message, is this common practice?

local$x are limited to 8; syslog instances don't bind to interfaces so you are stuck with them.

Personally I use syslog-ng. Why? Because syslog-ng gives you far more control over where the incoming logs go. For example you can tell syslog-ng to log to a file who's path/name is dependant on the system name, the date, and the facility. So it doesn't matter that you have six devices all hardcoded to use local3 (or whatever), syslog-ng breaks them out into individual files.

Here is an example of one of my configurations. It is from a Sun, but with a little reading you can convert it to Linux fairly easily.

Beware the log rotation problems or you'll eat up your disk space fairly quick.

I also send everything to one massive file which is read once per day by a script which sends me either things I know to be bad, or things which the script does not know to be good.

This may not be a "best practise" but it works for me.

sounds great.

I have syslog-ng on the box but im not using it (i dont think). Sounds like I need to be. Thanks for the feedback. Ill be sure to post more once I get around to trying syslog-ng and I try to figure out how to get it enabled and normal syslog disabled etc etc....