FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 01-14-2009, 01:42 PM
"Kenneth Holter"
 
Default Setting up centralized logging

Hello list.


We're planning on setting up centralized logging for our RHEL systems, and
have to decide on applications to use for collecting logs and analyzing
them.
Most of our systems are running RHEL, so we're looking for software that is
supported on this platform.

The first issue would be to decide on which syslog implementation to use,
and "syslog-ng" seems to be very popular. Will this be included in EPEL or
such in near future?
Are there better options than syslog-ng?

After collecting the syslog data, we'll need to analyze them. Swatch and SEC
are two options, as well as logwatch. The latter doesn't monitor in real
time, so I guess this one is out of the picture. Feedback on Swatch and SEC,
as well as other good options, is appreciated.

Lastly, we'll have to decide on how to set up the architecture, such as
relay architecture or single central loghost. Does anyone know of good
documentation that discusses this issue?


Regards,
Kenneth Holter
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-14-2009, 01:50 PM
"De Vries, Timothy"
 
Default Setting up centralized logging

Hi,

Rsyslog is an option and is included in RHEL 5.2 as an RPM. I like it because it allows you to post the priority.facility (PRI) values in the syslog messages which make it easier to filter for 'interesting' messages via a centralized server running swatch. Syslog-ng may also do this but I've not used it.

Thanks,
Tim
-----Original Message-----
From: redhat-list-bounces@redhat.com
[mailto:redhat-list-bounces@redhat.com]On Behalf Of Kenneth Holter
Sent: Wednesday, January 14, 2009 9:42 AM
To: redhat-list@redhat.com
Subject: Setting up centralized logging


Hello list.


We're planning on setting up centralized logging for our RHEL systems, and
have to decide on applications to use for collecting logs and analyzing
them.
Most of our systems are running RHEL, so we're looking for software that is
supported on this platform.

The first issue would be to decide on which syslog implementation to use,
and "syslog-ng" seems to be very popular. Will this be included in EPEL or
such in near future?
Are there better options than syslog-ng?

After collecting the syslog data, we'll need to analyze them. Swatch and SEC
are two options, as well as logwatch. The latter doesn't monitor in real
time, so I guess this one is out of the picture. Feedback on Swatch and SEC,
as well as other good options, is appreciated.

Lastly, we'll have to decide on how to set up the architecture, such as
relay architecture or single central loghost. Does anyone know of good
documentation that discusses this issue?


Regards,
Kenneth Holter
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


This e-mail and any attachments may contain
confidential and privileged information. If you are
not the intended recipient, please notify the sender
immediately by return e-mail, delete this e-mail
and destroy any copies. Any dissemination or use
of this information by a person other than the
intended recipient is unauthorized and may be
illegal. Unless otherwise stated, opinions expressed
in this e-mail are those of the author and are not
endorsed by the author's employer.

Le présent message, ainsi que tout fichier qui y est
joint, est envoyé * l'intention exclusive de son ou
de ses destinataires; il est de nature confidentielle
et peut constituer une information privilégiée. Nous
avertissons toute personne autre que le destinataire
prévu que tout examen, réacheminement, impression, copie,
distribution ou autre utilisation de ce message et de
tout fichier qui y est joint est strictement interdit.
Si vous n'êtes pas le destinataire prévu, veuillez en
aviser immédiatement l'expéditeur par retour de courriel
et supprimer ce message et tout document joint de votre système.
Sauf indication contraire, les opinions exprimées dans le présent
message sont celles de l’auteur et ne sont pas avalisées par
l’employeur de l’auteur.
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-14-2009, 03:12 PM
 
Default Setting up centralized logging

Kenneth,

>Date: Wed, 14 Jan 2009 15:42:22 +0100
>From: "Kenneth Holter" <kenneho.ndu@gmail.com>
>
>We're planning on setting up centralized logging for our RHEL systems, and
>have to decide on applications to use for collecting logs and analyzing
>them.
>Most of our systems are running RHEL, so we're looking for software that is
>supported on this platform.
>
>The first issue would be to decide on which syslog implementation to use,
>and "syslog-ng" seems to be very popular. Will this be included in EPEL or
>such in near future?
>Are there better options than syslog-ng?

How *very* odd - at work, last week, we were just deciding on this, and setting it up. Anyway, my manager decided on syslog-ng, which has been around a long time, although I understand that rsyslog is coming in as the standard with CentOS.

What we did was to set up one syslog server with syslog-ng. All the other servers were left with the stock syslog, which does allow you to specify that a copy of the log should also be sent to a remote server.

For example, in the /etc/syslog.conf, for the std. syslog, you add:
*.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog server name>

Then, on the syslog server, as I said, we put in syslog-ng. In its configuration file, I separated remote servers (and tcp and udp incoming logs), and then set up filters and destinations in <path>/<hostname><YYYYMMDD>/<logs>

Setting up filters turned out to be incredibly easy. One post I found very helpful was
<https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html>
In my case, I used facility(secure) and match(strings I wanted), and dumped them in separate destinations.

>
>After collecting the syslog data, we'll need to analyze them. Swatch and SEC
>are two options, as well as logwatch. The latter doesn't monitor in real
>time, so I guess this one is out of the picture. Feedback on Swatch and SEC,
>as well as other good options, is appreciated.
<snip>
Let us know how it goes. I'd be interested in knowing what you use.

mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-14-2009, 05:32 PM
"Ahmed Sharif"
 
Default Setting up centralized logging

Hello Kenneth,

Syslog-ng seems to me perfect for centralized logging, though I haven't used
the other solution. The official documentation I got at
http://www.balabit.com/support/documentation/?product=syslog-ng is very
useful. I used it in a mixed OS environment (Solaris 10, RHEL5). Both
commercial and open source edition is available. You will get the details
here <http://www.balabit.com/dl/brochures/syslog-ng-v3.0-description-en.pdf>.
You may also find the following
forum<http://www.syslog.org/forum/index.php>very useful. Please ask
about any specific requirements/questions.

Thanks and Regards,

Ahmed Sharif

On Wed, Jan 14, 2009 at 10:12 PM, <m.roth2006@rcn.com> wrote:

> Kenneth,
>
> >Date: Wed, 14 Jan 2009 15:42:22 +0100
> >From: "Kenneth Holter" <kenneho.ndu@gmail.com>
> >
> >We're planning on setting up centralized logging for our RHEL systems, and
> >have to decide on applications to use for collecting logs and analyzing
> >them.
> >Most of our systems are running RHEL, so we're looking for software that
> is
> >supported on this platform.
> >
> >The first issue would be to decide on which syslog implementation to use,
> >and "syslog-ng" seems to be very popular. Will this be included in EPEL or
> >such in near future?
> >Are there better options than syslog-ng?
>
> How *very* odd - at work, last week, we were just deciding on this, and
> setting it up. Anyway, my manager decided on syslog-ng, which has been
> around a long time, although I understand that rsyslog is coming in as the
> standard with CentOS.
>
> What we did was to set up one syslog server with syslog-ng. All the other
> servers were left with the stock syslog, which does allow you to specify
> that a copy of the log should also be sent to a remote server.
>
> For example, in the /etc/syslog.conf, for the std. syslog, you add:
> *.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog
> server name>
>
> Then, on the syslog server, as I said, we put in syslog-ng. In its
> configuration file, I separated remote servers (and tcp and udp incoming
> logs), and then set up filters and destinations in
> <path>/<hostname><YYYYMMDD>/<logs>
>
> Setting up filters turned out to be incredibly easy. One post I found very
> helpful was
> <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html>
> In my case, I used facility(secure) and match(strings I wanted), and dumped
> them in separate destinations.
>
> >
> >After collecting the syslog data, we'll need to analyze them. Swatch and
> SEC
> >are two options, as well as logwatch. The latter doesn't monitor in real
> >time, so I guess this one is out of the picture. Feedback on Swatch and
> SEC,
> >as well as other good options, is appreciated.
> <snip>
> Let us know how it goes. I'd be interested in knowing what you use.
>
> mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-14-2009, 09:38 PM
 
Default Setting up centralized logging

>Date: Wed, 14 Jan 2009 15:42:22 +0100
>From: "Kenneth Holter" <kenneho.ndu@gmail.com>
<snip>
>After collecting the syslog data, we'll need to analyze them. Swatch and SEC
>are two options, as well as logwatch. The latter doesn't monitor in real
>time, so I guess this one is out of the picture. Feedback on Swatch and SEC,
>as well as other good options, is appreciated.

One question: I know what swatch is, but what's SEC (other than the Securities and Exchange Commission)?

mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-15-2009, 07:43 AM
"Kenneth Holter"
 
Default Setting up centralized logging

Thanks for the outline of your setup.

I'm a bit tempted to go for rsyslog actually, since it's already included in
the RHN repository.

Are there any shortcomings of rsyslog that I should be aware of? I've read
that the config file may be more messy than syslog-ng, but that's pretty
much it.



On 1/14/09, m.roth2006@rcn.com <m.roth2006@rcn.com> wrote:
>
> Kenneth,
>
> >Date: Wed, 14 Jan 2009 15:42:22 +0100
> >From: "Kenneth Holter" <kenneho.ndu@gmail.com>
> >
> >We're planning on setting up centralized logging for our RHEL systems, and
> >have to decide on applications to use for collecting logs and analyzing
> >them.
> >Most of our systems are running RHEL, so we're looking for software that
> is
> >supported on this platform.
> >
> >The first issue would be to decide on which syslog implementation to use,
> >and "syslog-ng" seems to be very popular. Will this be included in EPEL or
> >such in near future?
> >Are there better options than syslog-ng?
>
> How *very* odd - at work, last week, we were just deciding on this, and
> setting it up. Anyway, my manager decided on syslog-ng, which has been
> around a long time, although I understand that rsyslog is coming in as the
> standard with CentOS.
>
> What we did was to set up one syslog server with syslog-ng. All the other
> servers were left with the stock syslog, which does allow you to specify
> that a copy of the log should also be sent to a remote server.
>
> For example, in the /etc/syslog.conf, for the std. syslog, you add:
> *.info;mail.none;authpriv.info;cron.none;kern.debu g;daemon.err @<syslog
> server name>
>
> Then, on the syslog server, as I said, we put in syslog-ng. In its
> configuration file, I separated remote servers (and tcp and udp incoming
> logs), and then set up filters and destinations in
> <path>/<hostname><YYYYMMDD>/<logs>
>
> Setting up filters turned out to be incredibly easy. One post I found very
> helpful was
> <https://lists.balabit.hu/pipermail/syslog-ng/2007-May/010176.html>
> In my case, I used facility(secure) and match(strings I wanted), and dumped
> them in separate destinations.
>
> >
> >After collecting the syslog data, we'll need to analyze them. Swatch and
> SEC
> >are two options, as well as logwatch. The latter doesn't monitor in real
> >time, so I guess this one is out of the picture. Feedback on Swatch and
> SEC,
> >as well as other good options, is appreciated.
> <snip>
> Let us know how it goes. I'd be interested in knowing what you use.
>
> mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-15-2009, 12:51 PM
"Michael Simpson"
 
Default Setting up centralized logging

On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote:
> Thanks for the outline of your setup.
>
> I'm a bit tempted to go for rsyslog actually, since it's already included in
> the RHN repository.
>
> Are there any shortcomings of rsyslog that I should be aware of? I've read
> that the config file may be more messy than syslog-ng, but that's pretty
> much it.
>

rsyslog integrates nicely with mySQL as well allowing for all sorts of
nice information manipulation of really heavy logging loads

mike

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-15-2009, 01:44 PM
"Romeo Theriault"
 
Default Setting up centralized logging

I've been using swatch now for about 1 year. It's been really great. It
hasn't died on my once and has caught all things I've asked it to. I have
it sending me emails and sms messages, based on the severity of the log
message.

On Wed, Jan 14, 2009 at 9:42 AM, Kenneth Holter <kenneho.ndu@gmail.com>wrote:

> Hello list.
>
>
> We're planning on setting up centralized logging for our RHEL systems, and
> have to decide on applications to use for collecting logs and analyzing
> them.
> Most of our systems are running RHEL, so we're looking for software that is
> supported on this platform.
>
> The first issue would be to decide on which syslog implementation to use,
> and "syslog-ng" seems to be very popular. Will this be included in EPEL or
> such in near future?
> Are there better options than syslog-ng?
>
> After collecting the syslog data, we'll need to analyze them. Swatch and
> SEC
> are two options, as well as logwatch. The latter doesn't monitor in real
> time, so I guess this one is out of the picture. Feedback on Swatch and
> SEC,
> as well as other good options, is appreciated.
>
> Lastly, we'll have to decide on how to set up the architecture, such as
> relay architecture or single central loghost. Does anyone know of good
> documentation that discusses this issue?
>
>
> Regards,
> Kenneth Holter
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



--
Romeo Theriault
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-15-2009, 03:43 PM
 
Default Setting up centralized logging

>Date: Thu, 15 Jan 2009 13:51:22 +0000
>From: "Michael Simpson" <mikie.simpson@gmail.com>
>Subject: Re: Setting up centralized logging
>To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>
>
>On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote:
>> Thanks for the outline of your setup.
>>
>> I'm a bit tempted to go for rsyslog actually, since it's already included in
>> the RHN repository.
>>
>> Are there any shortcomings of rsyslog that I should be aware of? I've read
>> that the config file may be more messy than syslog-ng, but that's pretty
>> much it.
>>
>rsyslog integrates nicely with mySQL as well allowing for all sorts of
>nice information manipulation of really heavy logging loads
>
I think syslog-ng does, as well. In my case, though, we had to preserve the original logs, in case forensics needs it.

mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 
Old 01-15-2009, 11:19 PM
"Marcos Aurelio Rodrigues"
 
Default Setting up centralized logging

Maybe OSSEC do what you want.

[]s
Marcos




On Thu, Jan 15, 2009 at 2:43 PM, <m.roth2006@rcn.com> wrote:

> >Date: Thu, 15 Jan 2009 13:51:22 +0000
> >From: "Michael Simpson" <mikie.simpson@gmail.com>
> >Subject: Re: Setting up centralized logging
> >To: "General Red Hat Linux discussion list" <redhat-list@redhat.com>
> >
> >On 1/15/09, Kenneth Holter <kenneho.ndu@gmail.com> wrote:
> >> Thanks for the outline of your setup.
> >>
> >> I'm a bit tempted to go for rsyslog actually, since it's already
> included in
> >> the RHN repository.
> >>
> >> Are there any shortcomings of rsyslog that I should be aware of? I've
> read
> >> that the config file may be more messy than syslog-ng, but that's pretty
> >> much it.
> >>
> >rsyslog integrates nicely with mySQL as well allowing for all sorts of
> >nice information manipulation of really heavy logging loads
> >
> I think syslog-ng does, as well. In my case, though, we had to preserve the
> original logs, in case forensics needs it.
>
> mark
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 06:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org