From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 3B8E713827E for ; Sun, 22 Dec 2013 21:53:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 76F16E0A8B; Sun, 22 Dec 2013 21:53:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3F6E0E0A83 for ; Sun, 22 Dec 2013 21:53:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 93C3A33F644 for ; Sun, 22 Dec 2013 21:53:09 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.496 X-Spam-Level: X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5.5 tests=[AWL=-0.960, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.534, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9HSaWiinXFQ for ; Sun, 22 Dec 2013 21:53:03 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 5131D33F5F8 for ; Sun, 22 Dec 2013 21:53:02 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VuqxG-0006ym-5F for gentoo-user@gentoo.org; Sun, 22 Dec 2013 22:52:58 +0100 Received: from rrcs-71-40-157-251.se.biz.rr.com ([71.40.157.251]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 22 Dec 2013 22:52:58 +0100 Received: from wireless by rrcs-71-40-157-251.se.biz.rr.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 22 Dec 2013 22:52:58 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: syslog-ng configs for separating warnings/errors and different types of traffic Date: Sun, 22 Dec 2013 21:52:37 +0000 (UTC) Message-ID: References: <52B748E7.5090007@libertytrek.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 71.40.157.251 (Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14) X-Archives-Salt: 16e32dbb-fe68-47fd-b992-f0ba34ef6cb4 X-Archives-Hash: 8dd44b21a507920c36b8f3d2dce332f8 Tanstaafl libertytrek.org> writes: > I'm very interested in what are best practices, and what others do as > far as separating out different types of messages in their logs. First list all of your resources you are going to monitor: webservers? DNS activity/servers? Security? Specific ports? Users? Networks product a cornicopia of data to collect, monitor, store and analyze. > I've always just sent everything to /var/log/messages, and this is not a > very heavily loaded box so it hasn't been a big problem, but I'm working > on a new server and would like to do some separation. Ok, if your network is expanding and you've listed what you need to do, then look for tools that will help make sense, quickly of all of that logged data: reportmagic, analog, awstats, just to nake a few. > I'd still like everything to go to /var/log/messages, but I'd like to > also send certain types of messages to different logs to simplify > troubleshooting, etc - ie, I often peruse the logs with: > egrep '(reject|warning|error|fatal|panic):' /var/log/messages If you use custom (CLI) or scripts, you'll need to think about collecting that up and what sort of analysis you want/need to run. > But I'd like to actually feed all of those messages to a separate log, > for easier tailing. systemd is clouding these issue versus syslog(ng). so whether or not you are or are planning to use systemd is also a factor you need to incorporate into you decision. If you are currently using cron, plan on moving to "cronie" as it is actively maintained and cron is not. There are many, many different and valid approaches to this issue, so first go out and read about ideas related to what your need to do (Googling is your friend). Collecting up data, into a singular file allows you to see what occurs in a chronological fashion, and is easiest for a small netowrk. Once you go creating many different log files, you now need to develop a strategy to priortize what you need to monitor. Are you reviewing these logs file, by hand? Dailey, weeking or real time monitoring? What is your first priority? Security? System Admin(resource utilization)? keeping an ecomerce server/farm fast and responsive? Following you hacker budies around the net? (inside your net?)...... DEFINE what you need to do first. Then look for tools to ease the job. Implement, test, refine...... "rinse and repeat". What you are asking, is a life_long quest for most of us, it's never done, always there and fundamental to running large amounts of hardware and software, hopefully in a pristine manner. Oh yea, learn abount "managed switches" and keeping track of what's going on inside of your routers, too. http://sixrevisions.com/tools/10-free-server-network-monitoring-tools-that-kick-ass/ http://www.jffnms.org/ > Charles hth, James