Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - General
User Name
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.


  Search this Thread
Old 03-09-2007, 09:02 AM   #1
Registered: Jul 2004
Posts: 68

Rep: Reputation: 15
best way to implement syslog

I have a SLES server here that I configured a while ago to act as a syslog server. We log all events from all of our firewalls and recently added one windows server's events as well.

I configured syslog.conf to use a facility for each device that was sending events. This allows me to put each device's logs into its own "livelogs" file which is rolled hourly using a script I wrote into a file with a time/date stamp as well as the device name:
local0.* -/var/log/localmessages
local2.* -/var/log/localmessages
local1.* -/var/log/PIX/livelogs_Firewall1
local4.* -/var/log/PIX/livelogs_Firewall2
local5.* -/var/log/WIN/livelogs_Windowsbox
local6.* -/var/log/PIX/livelogs_Firewall3
local7.* -/var/log/PIX/livelogs_Firewall4

This isnt very scalable though as it limited me to 8 devices sending messages to this server and I *think* that these localX's were being used for local system logging already, before I made them log remote events (I dont have a solid understanding of how syslog works though so this might be inaccurate). Are the localX facilities reserved for receiving syslogs from remote locations or are they sometimes/always/often/optionally used locally for logging one thing or another?

If I have 2 NICs on this server, can I have 8 facilities available on each? Allowing me to log 16 remote devices to this server? How would I configure that? How would "bind" one syslog daemon to one int and another to the other int?

What is best practice and/or what do you do for a syslog server? one thought I had was to send everything to one facility and then when my script runs on the hour rolling over the livelogs files, it could possibly also sort one massive syslog file based on the device that sent the message, is this common practice?
Old 03-21-2007, 01:06 PM   #2
Registered: Feb 2005
Distribution: RHEL, CentOS
Posts: 113

Rep: Reputation: 16
local$x are limited to 8; syslog instances don't bind to interfaces so you are stuck with them.

Personally I use syslog-ng. Why? Because syslog-ng gives you far more control over where the incoming logs go. For example you can tell syslog-ng to log to a file who's path/name is dependant on the system name, the date, and the facility. So it doesn't matter that you have six devices all hardcoded to use local3 (or whatever), syslog-ng breaks them out into individual files.

Here is an example of one of my configurations. It is from a Sun, but with a little reading you can convert it to Linux fairly easily.

Beware the log rotation problems or you'll eat up your disk space fairly quick.

I also send everything to one massive file which is read once per day by a script which sends me either things I know to be bad, or things which the script does not know to be good.

This may not be a "best practise" but it works for me.
Old 03-21-2007, 01:23 PM   #3
Registered: Jul 2004
Posts: 68

Original Poster
Rep: Reputation: 15
sounds great.

I have syslog-ng on the box but im not using it (i dont think). Sounds like I need to be. Thanks for the feedback. Ill be sure to post more once I get around to trying syslog-ng and I try to figure out how to get it enabled and normal syslog disabled etc etc....


syslog, syslogng

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
rsync : how to use and implement indiancosmonaut Solaris / OpenSolaris 8 03-04-2007 11:54 PM
how to implement bridging kaleeshwari Linux - Networking 1 01-22-2007 06:11 AM
LXer: Centralized Syslog Server Using syslog-NG LXer Syndicated Linux News 0 04-28-2006 06:21 PM
About SSH, how to implement this? ICO Linux - Networking 2 04-14-2006 03:52 PM
Shell implement in c SatYr_84 Programming 8 10-06-2005 12:44 AM > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 03:18 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration