SUMMARY: Best practices: Logging syslog msgs to central loghost

Ken Rossman rossman at columbia.edu
Wed Jun 29 10:41:34 EDT 2005


Many thanks to:

   Rob Foehl, Chris Ruhnke, Peter Kunst, Michael Grice, Brad Morrison,
   Jamie Walker, Alan Pae, Rob Windsor, Martin Wheatley, Ronny Martin,
   and Mike Demarco

for all of your excellent input on my syslog server query.

To summarize in brief, I asked about the impact and "gotchas"  
surrounding
using a central syslog server, if I should worry about the system and
network load generated, and how many different types of messages I  
should
log to the central server.

Almost unanimously, the response was that syslog messages going to a
single central server did not present anything close to a heavy system
or network load, even in a large, multi-system environment.

The biggest issue in a larger multi-system environment seemed to be
disk space management, and management of log rotation.  There are good
tools for doing this, and many folks had the syslog messages broken
down by category and stuffed into databases for later retrieval.
One syslog management tool that was mentioned was SMT:

   http://www.dangermen.com/smt/

Other helpful comments and suggestions included were:

- Use "syslog-ng"!  This is a very nice rewrite of the syslog daemon
   facility which has many very useful features imbedded in it.

- Set up log file rotations!  Rotate daily in a "busy" environment.

- Be sure to log critical messages both at the local host and the remote
   loghost, to ensure the message really gets logged *somewhere*.   
Network
   problems could cause loss of messages.

- Carefully consider whether you want to remotely log auth messages,
   as sometimes a user may type their password in the place of where
   the user ID should go, and that password would be transmitted in
   plaintext over the wire, in "snoop-ready form".

- If things are indeed quite busy where you are, set up a separate
   management network to send the syslog messages over.


Thanks again to all who replied!

Ken Rossman
rossman at columbia.edu



More information about the sunmanagers mailing list