Setting up centralized logging
Hello list.
We're planning on setting up centralized logging for our RHEL systems, and have to decide on applications to use for collecting logs and analyzing them. Most of our systems are running RHEL, so we're looking for software that is supported on this platform. The first issue would be to decide on which syslog implementation to use, and "syslog-ng" seems to be very popular. Will this be included in EPEL or such in near future? Are there better options than syslog-ng? After collecting the syslog data, we'll need to analyze them. Swatch and SEC are two options, as well as logwatch. The latter doesn't monitor in real time, so I guess this one is out of the picture. Feedback on Swatch and SEC, as well as other good options, is appreciated. Lastly, we'll have to decide on how to set up the architecture, such as relay architecture or single central loghost. Does anyone know of good documentation that discusses this issue? Regards, Kenneth Holter -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
Hi,
Rsyslog is an option and is included in RHEL 5.2 as an RPM. I like it because it allows you to post the priority.facility (PRI) values in the syslog messages which make it easier to filter for 'interesting' messages via a centralized server running swatch. Syslog-ng may also do this but I've not used it. Thanks, Tim -----Original Message----- From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com]On Behalf Of Kenneth Holter Sent: Wednesday, January 14, 2009 9:42 AM To: redhat-list@redhat.com Subject: Setting up centralized logging Hello list. We're planning on setting up centralized logging for our RHEL systems, and have to decide on applications to use for collecting logs and analyzing them. Most of our systems are running RHEL, so we're looking for software that is supported on this platform. The first issue would be to decide on which syslog implementation to use, and "syslog-ng" seems to be very popular. Will this be included in EPEL or such in near future? Are there better options than syslog-ng? After collecting the syslog data, we'll need to analyze them. Swatch and SEC are two options, as well as logwatch. The latter doesn't monitor in real time, so I guess this one is out of the picture. Feedback on Swatch and SEC, as well as other good options, is appreciated. Lastly, we'll have to decide on how to set up the architecture, such as relay architecture or single central loghost. Does anyone know of good documentation that discusses this issue? Regards, Kenneth Holter -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. Unless otherwise stated, opinions expressed in this e-mail are those of the author and are not endorsed by the author's employer. Le présent message, ainsi que tout fichier qui y est joint, est envoyé Ã* l'intention exclusive de son ou de ses destinataires; il est de nature confidentielle et peut constituer une information privilégiée. Nous avertissons toute personne autre que le destinataire prévu que tout examen, réacheminement, impression, copie, distribution ou autre utilisation de ce message et de tout fichier qui y est joint est strictement interdit. Si vous n'êtes pas le destinataire prévu, veuillez en aviser immédiatement l'expéditeur par retour de courriel et supprimer ce message et tout document joint de votre système. Sauf indication contraire, les opinions exprimées dans le présent message sont celles de l’auteur et ne sont pas avalisées par l’employeur de l’auteur. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
Kenneth,
>Date: Wed, 14 Jan 2009 15:42:22 +0100 >From: "Kenneth Holter" <kenneho.ndu@gmail.com> > >We're planning on setting up centralized logging for our RHEL systems, and >have to decide on applications to use for collecting logs and analyzing >them. >Most of our systems are running RHEL, so we're looking for software that is >supported on this platform. > >The first issue would be to decide on which syslog implementation to use, >and "syslog-ng" seems to be very popular. Will this be included in EPEL or >such in near future? >Are there better options than syslog-ng? How *very* odd - at work, last week, we were just deciding on this, and setting it up. Anyway, my manager decided on syslog-ng, which has been around a long time, although I understand that rsyslog is coming in as the standard with CentOS. What we did was to set up one syslog server with syslog-ng. All the other servers were left with the stock syslog, which does allow you to specify that a copy of the log should also be sent to a remote server. For example, in the /etc/syslog.conf, for the std. syslog, you add: *.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog server name> Then, on the syslog server, as I said, we put in syslog-ng. In its configuration file, I separated remote servers (and tcp and udp incoming logs), and then set up filters and destinations in <path>/<hostname><YYYYMMDD>/<logs> Setting up filters turned out to be incredibly easy. One post I found very helpful was <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html> In my case, I used facility(secure) and match(strings I wanted), and dumped them in separate destinations. > >After collecting the syslog data, we'll need to analyze them. Swatch and SEC >are two options, as well as logwatch. The latter doesn't monitor in real >time, so I guess this one is out of the picture. Feedback on Swatch and SEC, >as well as other good options, is appreciated. <snip> Let us know how it goes. I'd be interested in knowing what you use. mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
Hello Kenneth,
Syslog-ng seems to me perfect for centralized logging, though I haven't used the other solution. The official documentation I got at http://www.balabit.com/support/documentation/?product=syslog-ng is very useful. I used it in a mixed OS environment (Solaris 10, RHEL5). Both commercial and open source edition is available. You will get the details here <http://www.balabit.com/dl/brochures/syslog-ng-v3.0-description-en.pdf>. You may also find the following forum<http://www.syslog.org/forum/index.php>very useful. Please ask about any specific requirements/questions. Thanks and Regards, Ahmed Sharif On Wed, Jan 14, 2009 at 10:12 PM, <m.roth2006@rcn.com> wrote: > Kenneth, > > >Date: Wed, 14 Jan 2009 15:42:22 +0100 > >From: "Kenneth Holter" <kenneho.ndu@gmail.com> > > > >We're planning on setting up centralized logging for our RHEL systems, and > >have to decide on applications to use for collecting logs and analyzing > >them. > >Most of our systems are running RHEL, so we're looking for software that > is > >supported on this platform. > > > >The first issue would be to decide on which syslog implementation to use, > >and "syslog-ng" seems to be very popular. Will this be included in EPEL or > >such in near future? > >Are there better options than syslog-ng? > > How *very* odd - at work, last week, we were just deciding on this, and > setting it up. Anyway, my manager decided on syslog-ng, which has been > around a long time, although I understand that rsyslog is coming in as the > standard with CentOS. > > What we did was to set up one syslog server with syslog-ng. All the other > servers were left with the stock syslog, which does allow you to specify > that a copy of the log should also be sent to a remote server. > > For example, in the /etc/syslog.conf, for the std. syslog, you add: > *.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog > server name> > > Then, on the syslog server, as I said, we put in syslog-ng. In its > configuration file, I separated remote servers (and tcp and udp incoming > logs), and then set up filters and destinations in > <path>/<hostname><YYYYMMDD>/<logs> > > Setting up filters turned out to be incredibly easy. One post I found very > helpful was > <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html> > In my case, I used facility(secure) and match(strings I wanted), and dumped > them in separate destinations. > > > > >After collecting the syslog data, we'll need to analyze them. Swatch and > SEC > >are two options, as well as logwatch. The latter doesn't monitor in real > >time, so I guess this one is out of the picture. Feedback on Swatch and > SEC, > >as well as other good options, is appreciated. > <snip> > Let us know how it goes. I'd be interested in knowing what you use. > > mark > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
>Date: Wed, 14 Jan 2009 15:42:22 +0100
>From: "Kenneth Holter" <kenneho.ndu@gmail.com> <snip> >After collecting the syslog data, we'll need to analyze them. Swatch and SEC >are two options, as well as logwatch. The latter doesn't monitor in real >time, so I guess this one is out of the picture. Feedback on Swatch and SEC, >as well as other good options, is appreciated. One question: I know what swatch is, but what's SEC (other than the Securities and Exchange Commission)? mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
Thanks for the outline of your setup.
I'm a bit tempted to go for rsyslog actually, since it's already included in the RHN repository. Are there any shortcomings of rsyslog that I should be aware of? I've read that the config file may be more messy than syslog-ng, but that's pretty much it. On 1/14/09, m.roth2006@rcn.com <m.roth2006@rcn.com> wrote: > > Kenneth, > > >Date: Wed, 14 Jan 2009 15:42:22 +0100 > >From: "Kenneth Holter" <kenneho.ndu@gmail.com> > > > >We're planning on setting up centralized logging for our RHEL systems, and > >have to decide on applications to use for collecting logs and analyzing > >them. > >Most of our systems are running RHEL, so we're looking for software that > is > >supported on this platform. > > > >The first issue would be to decide on which syslog implementation to use, > >and "syslog-ng" seems to be very popular. Will this be included in EPEL or > >such in near future? > >Are there better options than syslog-ng? > > How *very* odd - at work, last week, we were just deciding on this, and > setting it up. Anyway, my manager decided on syslog-ng, which has been > around a long time, although I understand that rsyslog is coming in as the > standard with CentOS. > > What we did was to set up one syslog server with syslog-ng. All the other > servers were left with the stock syslog, which does allow you to specify > that a copy of the log should also be sent to a remote server. > > For example, in the /etc/syslog.conf, for the std. syslog, you add: > *.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog > server name> > > Then, on the syslog server, as I said, we put in syslog-ng. In its > configuration file, I separated remote servers (and tcp and udp incoming > logs), and then set up filters and destinations in > <path>/<hostname><YYYYMMDD>/<logs> > > Setting up filters turned out to be incredibly easy. One post I found very > helpful was > <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html> > In my case, I used facility(secure) and match(strings I wanted), and dumped > them in separate destinations. > > > > >After collecting the syslog data, we'll need to analyze them. Swatch and > SEC > >are two options, as well as logwatch. The latter doesn't monitor in real > >time, so I guess this one is out of the picture. Feedback on Swatch and > SEC, > >as well as other good options, is appreciated. > <snip> > Let us know how it goes. I'd be interested in knowing what you use. > > mark > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote:
> Thanks for the outline of your setup. > > I'm a bit tempted to go for rsyslog actually, since it's already included in > the RHN repository. > > Are there any shortcomings of rsyslog that I should be aware of? I've read > that the config file may be more messy than syslog-ng, but that's pretty > much it. > rsyslog integrates nicely with mySQL as well allowing for all sorts of nice information manipulation of really heavy logging loads mike -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
I've been using swatch now for about 1 year. It's been really great. It
hasn't died on my once and has caught all things I've asked it to. I have it sending me emails and sms messages, based on the severity of the log message. On Wed, Jan 14, 2009 at 9:42 AM, Kenneth Holter <kenneho.ndu@gmail.com>wrote: > Hello list. > > > We're planning on setting up centralized logging for our RHEL systems, and > have to decide on applications to use for collecting logs and analyzing > them. > Most of our systems are running RHEL, so we're looking for software that is > supported on this platform. > > The first issue would be to decide on which syslog implementation to use, > and "syslog-ng" seems to be very popular. Will this be included in EPEL or > such in near future? > Are there better options than syslog-ng? > > After collecting the syslog data, we'll need to analyze them. Swatch and > SEC > are two options, as well as logwatch. The latter doesn't monitor in real > time, so I guess this one is out of the picture. Feedback on Swatch and > SEC, > as well as other good options, is appreciated. > > Lastly, we'll have to decide on how to set up the architecture, such as > relay architecture or single central loghost. Does anyone know of good > documentation that discusses this issue? > > > Regards, > Kenneth Holter > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- Romeo Theriault -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
>Date: Thu, 15 Jan 2009 13:51:22 +0000
>From: "Michael Simpson" <mikie.simpson@gmail.com> >Subject: Re: Setting up centralized logging >To: "General Red Hat Linux discussion list" <redhat-list@redhat.com> > >On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote: >> Thanks for the outline of your setup. >> >> I'm a bit tempted to go for rsyslog actually, since it's already included in >> the RHN repository. >> >> Are there any shortcomings of rsyslog that I should be aware of? I've read >> that the config file may be more messy than syslog-ng, but that's pretty >> much it. >> >rsyslog integrates nicely with mySQL as well allowing for all sorts of >nice information manipulation of really heavy logging loads > I think syslog-ng does, as well. In my case, though, we had to preserve the original logs, in case forensics needs it. mark -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
Setting up centralized logging
Maybe OSSEC do what you want.
[]s Marcos On Thu, Jan 15, 2009 at 2:43 PM, <m.roth2006@rcn.com> wrote: > >Date: Thu, 15 Jan 2009 13:51:22 +0000 > >From: "Michael Simpson" <mikie.simpson@gmail.com> > >Subject: Re: Setting up centralized logging > >To: "General Red Hat Linux discussion list" <redhat-list@redhat.com> > > > >On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote: > >> Thanks for the outline of your setup. > >> > >> I'm a bit tempted to go for rsyslog actually, since it's already > included in > >> the RHN repository. > >> > >> Are there any shortcomings of rsyslog that I should be aware of? I've > read > >> that the config file may be more messy than syslog-ng, but that's pretty > >> much it. > >> > >rsyslog integrates nicely with mySQL as well allowing for all sorts of > >nice information manipulation of really heavy logging loads > > > I think syslog-ng does, as well. In my case, though, we had to preserve the > original logs, in case forensics needs it. > > mark > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list |
| All times are GMT. The time now is 06:13 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.