Monday, January 02, 2006

Syslog - Centralize your logs

This artice was posted here

Here is a tip to make your machine save logs to a remote machine (remote_mc) instead of logging locally. For this to succeed, you have to make changes to both the remote machine which accepts the logs on behalf of your local machine as well as the local machine itself.

On the remote machine enable remote logging
Set up syslogd to accept remote messages. Edit the /etc/sysconfig/syslog file and insert the following line:

#File: /etc/sysconfig/syslog

The file is liberally commented. -r means to enable remote logging and '-m 0' means to disable "MARK" messages.

Restart syslogd
# service syslog restart

Now the machine (remote machine) will accept logging messages from other machines.

On your local machine which sends the logging message
Edit the /etc/syslog.conf file to direct the logging messages to the remote machine (remote_mc).

#File: /etc/syslog.conf
*.emerg;user.*;kern.err @remote_mc

Here I have chosen to send all emergency messages, all user program generated logs and any kernel errors to be logged at the remote machine.

Lastly for the changes to take effect, restart the syslog daemon on your local machine.
# service syslog restart

Note: This tip is applicable to RedHat based systems but also can be used for debian based systems with some modifications.

Testing your setup
Generate a log message on your local machine using the logger command:

$ logger -i -t ravi "I am just testing this. This message can be ignored."

logger is a shell command which makes entries in the system log. It provides a shell interface to the syslog system log module. In the above command, -i logs the process ID of the logger process on each line. And -t option tags every line in the log with my name.

Now go and check on the remote machine (remote_mc) to see if the logs have been generated.

remote_mc $ cat /var/log/messages | grep ravi

No comments: