Hi,
If I set up my syslogd server to accept incoming logs, how can I specify what actions to take when logs come in from a specific host?
like if PC1 sends me some mail logs then sends me some kernel logs,
how can I hand each individual type log seperately?
Thanks,
Use syslog-ng or something similar. It's amazing how incapable plain syslog on linux is. Not only does it transmit logs via udp to the loghost so if the network is congested you will lose log messages randomly. Sorting messages via the log facilities (auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0..local7) and log levels (debug, info, notice, warn, err, crit, alert, emerg) is just rediculously inflexible. Few programs let you actually specify what level or facility to use so that few files get cluttered with all sorts of different log messages. There are log parsers (logcheck comes to mind) that will sort through this mess and mail you detailed reports of things that have been happening but you might as well spend the time you need to configure such a program with setting up a decent syslogger like syslog-ng.
This allows tcp connections to your loghost (using stunnel you can even encrypt the connection). Also the syslog-ng.conf file has a very straight-forward syntax for setting up filters that use reg expressions to sort the messages into various files, store them in a database, mail them out, send sms in case of an emergency or whatever you need it to do. The syslog-ng homepage has a short manual that gives you a good overview and should get you started quickly.
Posting Permissions
Reply With Quote
Bookmarks