Re: syslogd question
On Fri, Feb 10, 2006 at 05:51:41PM -0500, Mitch Parker wrote: > > I'm going to second this, even though I don't work at an ISP (however, I do > work with large amounts of syslog data). > > If you want to keep things organized, it's better to keep the syslog files > organized by service. i would cast my vote in the camp of it's better to keep the logfiles organized however you find you really need to, or rather, in a way that involves you writing the least amount of scripts or infrastructure to find the information from those logfiles that you're going to end up referencing from them most commonly. for the OP's question of having each machine log to a seperate file, without changing the facility/level on the remote machines, i believe that the stock openbsd syslogd does not provide a method for seperating the output logfiles based on incoming host. syslog-ng is in ports, and it is a pretty recent version, and would provide the ability to write a file based on the incoming hostname ( it has a couple built-in macros ). i'm not going to advocate syslog-ng any further than saying that if you find that you still choose to have individual log files per-host, it can do it. on the downside, you may have mixed feelings about running a core service from ports. -- jared [ openbsd 3.9-beta GENERIC ( jan 30 ) // i386 ]
Re: syslogd question
Craig, I'm going to second this, even though I don't work at an ISP (however, I do work with large amounts of syslog data). If you want to keep things organized, it's better to keep the syslog files organized by service. When you've got data coming from a large amount of servers, you want to: 1. Separate by service (ftp, ssh, mail, auth, etc.). 2. Use any external processing systems sparingly, and test them heavily for performance. 3. Have your scripts separate the machines, if needed, by machine name. Have them process syslog data after it's received. I'm using that setup and approach to handle data from approx. 20 commercial UNIX machines and various network devices at one location, and 2 OpenBSD 3.8 boxes and a Windows Server 2003 machine at another. It works very well. Take care, Mitch -Original Message- From: [EMAIL PROTECTED] on behalf of Craig Skinner Sent: Fri 2/10/2006 4:45 PM To: misc@openbsd.org Subject: Re: syslogd question On Fri, Feb 10, 2006 at 10:46:02AM -0600, [EMAIL PROTECTED] wrote: > I am setting up an openbsd box to be the catcher for a couple of AIX boxes to pitch their log files to. Using the standard syslogd, I am wondering if I can set it up so that each of the AIX boxes gets its own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. > > Or, would it just be easier to throw everything into one file and user perl to split out the two logs? > > I did a little googling around and found one page that looked like exactly my answer but it was 404 and not in the google cache. > > I work for an ISP and I think that the best way to handle this is not to seperate by machine, but by service. ie: we have a farm of a dozen webservers, another dozen smtp servers, a bunch of imap servers, dns,.. When a customer needs help, say logging into on of the ftp servers, I can tail the auth logs & grep for their username. They could hit anyone of the boxes at a given time, so this way is the only practical solution. Also, if a dns zone is not being propagated, I can grep for the zone and see what all of the servers are doing, with relevant time stamps. If you need per machine, then just refine your grep. Craig.
Re: syslogd question
On 2006-02-10 10:46:02 -0600, [EMAIL PROTECTED] wrote: > I am setting up an openbsd box to be the catcher for a couple > of AIX boxes to pitch their log files to. Using the standard > syslogd, I am wondering if I can set it up so that each of the > AIX boxes gets its own log file on the openbsd box. Something > like /var/log/aix1.log and /var/log/aix2.log. Use syslogng (it's in ports). Best Martin -- http://www.tm.oneiros.de
Re: syslogd question
On Fri, Feb 10, 2006 at 10:46:02AM -0600, [EMAIL PROTECTED] wrote: > I am setting up an openbsd box to be the catcher for a couple of AIX boxes to > pitch their log files to. Using the standard syslogd, I am wondering if I > can set it up so that each of the AIX boxes gets its own log file on the > openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. > > Or, would it just be easier to throw everything into one file and user perl > to split out the two logs? > > I did a little googling around and found one page that looked like exactly my > answer but it was 404 and not in the google cache. > > I work for an ISP and I think that the best way to handle this is not to seperate by machine, but by service. ie: we have a farm of a dozen webservers, another dozen smtp servers, a bunch of imap servers, dns,.. When a customer needs help, say logging into on of the ftp servers, I can tail the auth logs & grep for their username. They could hit anyone of the boxes at a given time, so this way is the only practical solution. Also, if a dns zone is not being propagated, I can grep for the zone and see what all of the servers are doing, with relevant time stamps. If you need per machine, then just refine your grep. Craig.
Re: syslogd question
On Fri, Feb 10, 2006 at 12:54:28PM -0600, eric wrote: > On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] proclaimed... > > > I am setting up an openbsd box to be the catcher for a couple of AIX boxes > > to pitch their log files to. Using the standard syslogd, I am wondering > > if I can set it up so that each of the AIX boxes gets its own log file on > > the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. > > Sure, check out the man page for syslogd.conf(5). syslog.conf(5) -- Christopher Linn | By no means shall either the CEC System Administrator II | or MTU be held in any way liable Center for Experimental Computation | for any opinions or conjecture I Michigan Technological University | hold to or imply to hold herein.
Re: syslogd question
--- [EMAIL PROTECTED] wrote: > On Fri, 10 Feb 2006, eric wrote: > > > On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] > proclaimed... > > > > > I am setting up an openbsd box to be the catcher for a couple of AIX > boxes > > > to pitch their log files to. Using the standard syslogd, I am > wondering > > > if I can set it up so that each of the AIX boxes gets its own log > file on > > > the openbsd box. Something like /var/log/aix1.log and > /var/log/aix2.log. > > > > Sure, check out the man page for syslogd.conf(5). > > > > Um, maybe I am missing something but on my box, and the openbsd site > there is no syslogd.conf man page. There is a man 5 syslog.conf page > and I have read it. Didn't see anything that would apply to this > question at all. I also read man 8 syslogd and looked at the -a flag, > wondering if that is where I want to be. Is a logging socket the same > as a log file? And even if it is, I don't know how I would name the > file -- unless it is like snort and uses the ip address. Sounds like you want to set up a remote logging server. The OpenBSD man page is surprisingly incomplete in this area so I'm redirecting you over to the FreeBSD site. http://www.freebsd.org/cgi/man.cgi?query=syslog.conf&apropos=0&sektion=0&manpath=FreeBSD+5.4-RELEASE&format=html Look for the '+' and '@' signs. But you could have googled yourself.
Re: syslogd question
On 2006/02/10 10:46, [EMAIL PROTECTED] wrote: > Or, would it just be easier to throw everything into one file and > user perl to split out the two logs? FreeBSD has this, it works in a similar way to the per-program selectors, I don't know how much work it would be to port across. grep is another option, of course - even easier than Perl...
Re: syslogd question
On Fri, 10 Feb 2006, eric wrote: > On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] proclaimed... > > > I am setting up an openbsd box to be the catcher for a couple of AIX boxes > > to pitch their log files to. Using the standard syslogd, I am wondering > > if I can set it up so that each of the AIX boxes gets its own log file on > > the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. > > Sure, check out the man page for syslogd.conf(5). > Um, maybe I am missing something but on my box, and the openbsd site there is no syslogd.conf man page. There is a man 5 syslog.conf page and I have read it. Didn't see anything that would apply to this question at all. I also read man 8 syslogd and looked at the -a flag, wondering if that is where I want to be. Is a logging socket the same as a log file? And even if it is, I don't know how I would name the file -- unless it is like snort and uses the ip address. --ja --
Re: syslogd question
You could setup different facilities on the separate AIX boxes (local1, local2, local3, etc..) Then on your openbsd box add the following line to your syslogd.conf #AIX box 1 local1.*/var/log/aix1.log #AIX box 2 local2.*/var/log/aix2.log Don't forget to update the syslogd entry in rc.conf. You must enable the -u option. Nils -Original Message- From: eric [mailto:[EMAIL PROTECTED] Sent: vrijdag 10 februari 2006 19:54 To: [EMAIL PROTECTED] Cc: misc@openbsd.org Subject: Re: syslogd question On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] proclaimed... > I am setting up an openbsd box to be the catcher for a couple of AIX > boxes to pitch their log files to. Using the standard syslogd, I am > wondering if I can set it up so that each of the AIX boxes gets its > own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. Sure, check out the man page for syslogd.conf(5). = A disclaimer applies to this email and any attachments. Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this disclaimer.
Re: syslogd question
On Fri, 2006-02-10 at 10:46:02 -0600, [EMAIL PROTECTED] proclaimed... > I am setting up an openbsd box to be the catcher for a couple of AIX boxes > to pitch their log files to. Using the standard syslogd, I am wondering > if I can set it up so that each of the AIX boxes gets its own log file on > the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. Sure, check out the man page for syslogd.conf(5).
syslogd question
I am setting up an openbsd box to be the catcher for a couple of AIX boxes to pitch their log files to. Using the standard syslogd, I am wondering if I can set it up so that each of the AIX boxes gets its own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. Or, would it just be easier to throw everything into one file and user perl to split out the two logs? I did a little googling around and found one page that looked like exactly my answer but it was 404 and not in the google cache. Thanks! --ja --
