syslog to central server and store logs in separate host directories
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
syslog to central server and store logs in separate host directories
Hello all!
I am setting up a central syslog server to accept logging from multiple production servers. I have syslog configured and functional. What I would like to do next is setup separate directories on the logging server(central) for each of the production servers(remote). For example:
remote client:
hostname - pserver1
snippet from /etc/syslog.conf
Code:
authpriv.* @loghost # which is the central logging server
Now, what I don't know how to do is configure the central logging server to put the messages from pserver1 into a directory like:
Code:
authpriv.* /var/log/pserver1/secure
I know the above line is incorrect. What is the correct syntax to split the logging from different hosts to different files/directories?
Can't use syslog-ng because it is not supported in RedHat(all RHEL 4.x), therefore I need to use the standard syslogd.
you can use standard Redhat syslog on the client and just compile syslog-ng or rsyslog on the central logging server. Thats what we did at my last company, that way the clients are not changed. We setup logging using rsyslog into a mysql DB. Just an Idea, sorry not sure about your syntax problem.
you can use standard Redhat syslog on the client and just compile syslog-ng or rsyslog on the central logging server. Thats what we did at my last company, that way the clients are not changed. We setup logging using rsyslog into a mysql DB. Just an Idea, sorry not sure about your syntax problem.
Thanks for the suggestion, however, RHEL 4 doesn't support syslog-ng nor rsyslog(RHEL5). So, my options are limited. Any other ideas?
Thanks for the suggestion, however, RHEL 4 doesn't support syslog-ng nor rsyslog(RHEL5). So, my options are limited. Any other ideas?
RHEL4 runs syslog-ng just fine...compile it from source, if you can't find it on a repository.
However, only your central syslog server needs to be running syslog-ng. Your other servers (Solaris, AIX, Linux, etc.), can run the 'regular' syslog daemon. Set up syslog-ng to put logs from different IP addresses to different files, named with their associated FQDN's.
RHEL4 runs syslog-ng just fine...compile it from source, if you can't find it on a repository.
However, only your central syslog server needs to be running syslog-ng. Your other servers (Solaris, AIX, Linux, etc.), can run the 'regular' syslog daemon. Set up syslog-ng to put logs from different IP addresses to different files, named with their associated FQDN's.
I agree, syslog-ng is the way to go. The issue that I have is company policy. I can't use non-RedHat rpms or source for a variety of reasons.
I agree, syslog-ng is the way to go. The issue that I have is company policy. I can't use non-RedHat rpms or source for a variety of reasons.
I was also going to suggest syslog-ng. To bad your company can't see that once in awhile an exception to the rule is okay.
I see you like Cent-OS. Would they let you run syslog-ng on a Cent-OS box and simply use the syslog daemon to send the traffic to the log server? As you can see from the other posters, it is a solution that works.
I agree, syslog-ng is the way to go. The issue that I have is company policy. I can't use non-RedHat rpms or source for a variety of reasons.
Well, you can either fight the (rather dumb) company policy, or homebrew your own solution. You could write a program to do some filtering on the single, massive-combined syslog file, and parse it down every few minutes into separate files. But that would require you writing code (hey, that would be SOURCE CODE), which is against your company policy. And at the end of the day, all it would do is replace one set of source code with another, which doesn't function as well.
'Regular' syslog daemons pump things to one file..that's it, that's all they were ever designed to do. That's why syslog-ng came about.
Do not reopen threads that are TWO YEARS OLD, and hijack them with your own question. Open your own thread.
And again, RHEL should have syslog-ng in the repositories that you have available via the RedHat Network, since you're paying for support, right? If you're not, you can (as stated years ago), compile syslog-ng from source. And if you already HAVE an RPM for syslog-ng, why not just *try* to install it?
What? It's better that every person NOT search and instead create a new thread whether one exists or not?
At what age does your holiness deem a thread to old to reply to? 6 months? 1 year? 18 months? 5 hours?
PLEASE DO tell us, so we will know in future and won't frustrate you in future.
Since you're not paying attention, and/or didn't bother to read the thread, the follow-up question that re-opened this old thread didn't relate to the original topic. New question = new thread. Read the LQ Rules. If you don't like them, tell the moderators.
At what age does your holiness deem a thread to old to reply to? 6 months? 1 year? 18 months? 5 hours?
This doesn't automagically go for all topics but I'd say ninety nine per cent of the questions asked on LQ have a short TTL, usually measured in days. So responding a couple of months afterwards, and especially with a rebuke like this is uncalled for. After your hiatus of about three years two out of your three posts resulted in a collision. I'll leave it at this but I suggest you review the way you post.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.