Hello all!

I am setting up a central syslog server to accept logging from multiple production servers. I have syslog configured and functional. What I would like to do next is setup separate directories on the logging server(central) for each of the production servers(remote). For example:

remote client:
hostname - pserver1
snippet from /etc/syslog.conf
Now, what I don't know how to do is configure the central logging server to put the messages from pserver1 into a directory like:

I know the above line is incorrect. What is the correct syntax to split the logging from different hosts to different files/directories?

Can't use syslog-ng because it is not supported in RedHat(all RHEL 4.x), therefore I need to use the standard syslogd.

Thanks!

you can use standard Redhat syslog on the client and just compile syslog-ng or rsyslog on the central logging server. Thats what we did at my last company, that way the clients are not changed. We setup logging using rsyslog into a mysql DB. Just an Idea, sorry not sure about your syntax problem.

Thanks for the suggestion, however, RHEL 4 doesn't support syslog-ng nor rsyslog(RHEL5). So, my options are limited. Any other ideas?

RHEL4 runs syslog-ng just fine...compile it from source, if you can't find it on a repository.

However, only your central syslog server needs to be running syslog-ng. Your other servers (Solaris, AIX, Linux, etc.), can run the 'regular' syslog daemon. Set up syslog-ng to put logs from different IP addresses to different files, named with their associated FQDN's.

I agree, syslog-ng is the way to go. The issue that I have is company policy. I can't use non-RedHat rpms or source for a variety of reasons.

I was also going to suggest syslog-ng. To bad your company can't see that once in awhile an exception to the rule is okay.
I see you like Cent-OS. Would they let you run syslog-ng on a Cent-OS box and simply use the syslog daemon to send the traffic to the log server? As you can see from the other posters, it is a solution that works.

Well, you can either fight the (rather dumb) company policy, or homebrew your own solution. You could write a program to do some filtering on the single, massive-combined syslog file, and parse it down every few minutes into separate files. But that would require you writing code (hey, that would be SOURCE CODE), which is against your company policy. And at the end of the day, all it would do is replace one set of source code with another, which doesn't function as well.


'Regular' syslog daemons pump things to one file..that's it, that's all they were ever designed to do. That's why syslog-ng came about.

Hello,

Do RHEL 5.3 support syslog-ng rpm ?

0 members found this post helpful.

Do not reopen threads that are TWO YEARS OLD, and hijack them with your own question. Open your own thread.

And again, RHEL should have syslog-ng in the repositories that you have available via the RedHat Network, since you're paying for support, right? If you're not, you can (as stated years ago), compile syslog-ng from source. And if you already HAVE an RPM for syslog-ng, why not just *try* to install it?

2 members found this post helpful.

What? It's better that every person NOT search and instead create a new thread whether one exists or not?

At what age does your holiness deem a thread to old to reply to? 6 months? 1 year? 18 months? 5 hours?

PLEASE DO tell us, so we will know in future and won't frustrate you in future.

1 members found this post helpful.

Since you're not paying attention, and/or didn't bother to read the thread, the follow-up question that re-opened this old thread didn't relate to the original topic. New question = new thread. Read the LQ Rules. If you don't like them, tell the moderators.

This doesn't automagically go for all topics but I'd say ninety nine per cent of the questions asked on LQ have a short TTL, usually measured in days. So responding a couple of months afterwards, and especially with a rebuke like this is uncalled for. After your hiatus of about three years two out of your three posts resulted in a collision. I'll leave it at this but I suggest you review the way you post.