HPE Community
Operating System - Linux
1828197 Members
2330 Online
109975 Solutions
New Discussion

Centralize Logging

 
SOLVED
Go to solution
Maaz
Valued Contributor

‎04-15-2006 05:50 AM

‎04-15-2006 05:50 AM

Centralize Logging

Dear Gurus

On one linux box(client)/etc/syslog.conf
user.* @logserver
#service syslog restart

On Log server /etc/sysconfig/syslog.conf
SYSLOGD_OPTIONS="-r -m 0"
#service syslog restart
#tail -f /var/log/messages

Ok, Logging is centrallize now, e.g on client machine i ran "startx" i can se messages on logserver.
But client machine still logs messages locally, and I want that client machine dont log message locally.
what more I have to do ?


Regards
Maaz
0 Kudos
Reply
5 REPLIES 5
Maaz
Valued Contributor

‎04-15-2006 06:22 AM

‎04-15-2006 06:22 AM

Re: Centralize Logging

OS = rhel 4

and more thing left

1, I want to log /var/log/squid/access to a central log server say "logserver" (and not locally)
what Config should I have to do on the Squid server machine
2, I also want to log apache logs to a central log server say "logserver" (and not locally)
what Config should I have to do on the Apache server machine
0 Kudos
Reply
Vitaly Karasik_1
Honored Contributor

‎04-15-2006 07:11 PM

‎04-15-2006 07:11 PM

Solution

Re: Centralize Logging

Apache:
you should redirect apache logs to syslog, for example:

ErrorLog syslog:user

I don't sure that you can use the same way
CustomLog syslog:user combined

for access_log or you should use piping:
"CustomLog â | /usr/bin/logger â p user.infoâ

Of course, you can use localX facility instead of user.

(see for more http://httpd.apache.org/docs/2.0/mod/core.html)

Squid: you should start squid with "-s" flag for loggingg to syslog.

Rgds,
Vitaly
Reply
Maaz
Valued Contributor

‎04-15-2006 08:12 PM

‎04-15-2006 08:12 PM

Re: Centralize Logging

Thanks Dear Vitally Karasik


from my 1st post
Ok, Logging is centrallize now, e.g on client machine i ran "startx" i can se messages on logserver.
But client machine still logs messages locally, and I want that client machine dont log message locally.
what more I have to do ?

Plz help
Regards
Maaz
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-15-2006 08:28 PM

‎04-15-2006 08:28 PM

Re: Centralize Logging

Shalom Maaz,

Two things to consider as I'm doing this right now.

I set up the logs directory on the central server as an NFS share.

Then I set up /etc/fstab to mount that NFS share at startup.

Then all logs go to that location.

Doing it in syslog requires that port 514 be open and that can be a problem with some firewall configurations.

I generally go with Vitaly's format (NFS or syslog) and keep the local copy of the log. The reason is that if there is a communication problem with the central log server, I still need those logs somewhere so I keep an extra copy.

You should take this into account in the logrotate configuration and have logrotate run not on the central server but on the individual servers around the network.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Vitaly Karasik_1
Honored Contributor

‎04-16-2006 07:44 AM

‎04-16-2006 07:44 AM

Re: Centralize Logging

If you use "user" facility for apache's log and want to exclude such messages from local syslog file, in syslog.conf on your client machine you should use

!=user.* /var/log/messages

Unfortunately, I don't know is it possible to choose facility for squid log. If no, we cannot separate squid messages from the other daemons messages.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.