Thanks for the outline of your setup. I'm a bit tempted to go for rsyslog actually, since it's already included in the RHN repository. Are there any shortcomings of rsyslog that I should be aware of? I've read that the config file may be more messy than syslog-ng, but that's pretty much it. On 1/14/09, m.roth2006@xxxxxxx <m.roth2006@xxxxxxx> wrote: > > Kenneth, > > >Date: Wed, 14 Jan 2009 15:42:22 +0100 > >From: "Kenneth Holter" <kenneho.ndu@xxxxxxxxx> > > > >We're planning on setting up centralized logging for our RHEL systems, and > >have to decide on applications to use for collecting logs and analyzing > >them. > >Most of our systems are running RHEL, so we're looking for software that > is > >supported on this platform. > > > >The first issue would be to decide on which syslog implementation to use, > >and "syslog-ng" seems to be very popular. Will this be included in EPEL or > >such in near future? > >Are there better options than syslog-ng? > > How *very* odd - at work, last week, we were just deciding on this, and > setting it up. Anyway, my manager decided on syslog-ng, which has been > around a long time, although I understand that rsyslog is coming in as the > standard with CentOS. > > What we did was to set up one syslog server with syslog-ng. All the other > servers were left with the stock syslog, which does allow you to specify > that a copy of the log should also be sent to a remote server. > > For example, in the /etc/syslog.conf, for the std. syslog, you add: > *.info;mail.none;authpriv.info;cron.none;kern.debug;daemon.err @<syslog > server name> > > Then, on the syslog server, as I said, we put in syslog-ng. In its > configuration file, I separated remote servers (and tcp and udp incoming > logs), and then set up filters and destinations in > <path>/<hostname><YYYYMMDD>/<logs> > > Setting up filters turned out to be incredibly easy. One post I found very > helpful was > <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html> > In my case, I used facility(secure) and match(strings I wanted), and dumped > them in separate destinations. > > > > >After collecting the syslog data, we'll need to analyze them. Swatch and > SEC > >are two options, as well as logwatch. The latter doesn't monitor in real > >time, so I guess this one is out of the picture. Feedback on Swatch and > SEC, > >as well as other good options, is appreciated. > <snip> > Let us know how it goes. I'd be interested in knowing what you use. > > mark > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
