Hello Kenneth, Syslog-ng seems to me perfect for centralized logging, though I haven't used the other solution. The official documentation I got at http://www.balabit.com/support/documentation/?product=syslog-ng is very useful. I used it in a mixed OS environment (Solaris 10, RHEL5). Both commercial and open source edition is available. You will get the details here <http://www.balabit.com/dl/brochures/syslog-ng-v3.0-description-en.pdf>. You may also find the following forum<http://www.syslog.org/forum/index.php>very useful. Please ask about any specific requirements/questions. Thanks and Regards, Ahmed Sharif On Wed, Jan 14, 2009 at 10:12 PM, <m.roth2006@xxxxxxx> wrote: > Kenneth, > > >Date: Wed, 14 Jan 2009 15:42:22 +0100 > >From: "Kenneth Holter" <kenneho.ndu@xxxxxxxxx> > > > >We're planning on setting up centralized logging for our RHEL systems, and > >have to decide on applications to use for collecting logs and analyzing > >them. > >Most of our systems are running RHEL, so we're looking for software that > is > >supported on this platform. > > > >The first issue would be to decide on which syslog implementation to use, > >and "syslog-ng" seems to be very popular. Will this be included in EPEL or > >such in near future? > >Are there better options than syslog-ng? > > How *very* odd - at work, last week, we were just deciding on this, and > setting it up. Anyway, my manager decided on syslog-ng, which has been > around a long time, although I understand that rsyslog is coming in as the > standard with CentOS. > > What we did was to set up one syslog server with syslog-ng. All the other > servers were left with the stock syslog, which does allow you to specify > that a copy of the log should also be sent to a remote server. > > For example, in the /etc/syslog.conf, for the std. syslog, you add: > *.info;mail.none;authpriv.info;cron.none;kern.debug;daemon.err @<syslog > server name> > > Then, on the syslog server, as I said, we put in syslog-ng. In its > configuration file, I separated remote servers (and tcp and udp incoming > logs), and then set up filters and destinations in > <path>/<hostname><YYYYMMDD>/<logs> > > Setting up filters turned out to be incredibly easy. One post I found very > helpful was > <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html> > In my case, I used facility(secure) and match(strings I wanted), and dumped > them in separate destinations. > > > > >After collecting the syslog data, we'll need to analyze them. Swatch and > SEC > >are two options, as well as logwatch. The latter doesn't monitor in real > >time, so I guess this one is out of the picture. Feedback on Swatch and > SEC, > >as well as other good options, is appreciated. > <snip> > Let us know how it goes. I'd be interested in knowing what you use. > > mark > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
