On Thu, Dec 22, 2005 at 10:40:51AM -0800, Mark wrote:
>> 1.) A centralized logging server (ie. syslog). Have Apache log to
>> that and then parse the logs from there.
>How do you want to do that? NFS? Is it worth doing that? Why do you want to
>switch from #2 to #1?
You tell syslog or syslog-ng to log to a remote network source instead
of or in addition to a local file on each of the real servers, then on
the central logging server configure it to listen for incoming network
log info and tell it where to put it.
Here's a syslog-ng master server config:
options {
long_hostnames(off);
sync(0);
# The default action of syslog-ng 1.6.0 is to log a STATS line
# to the file every 10 minutes. That's pretty ugly after a
# while.
# Change it to every 12 hours so you get a nice daily update of
# how many messages syslog-ng missed (0).
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
source net { udp(); };
filter f_authpriv { facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_ldap { facility(local4); };
filter f_mail { facility(mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, mail, local4); };
destination authlog { file("/var/log/auth.log"); };
destination cron { file("/var/log/cron"); };
destination ldap_net { file("/disk1/log/slapd.log"); };
destination mail_net { file("/disk1/log/maillog"); };
destination mail { file("/var/log/maillog"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references
# /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(net); filter(f_ldap); destination(ldap_net); };
log { source(src); filter(f_mail); destination(mail); };
log { source(net); filter(f_mail); destination(mail_net); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); destination(console_all); };
Here's a client that logs maillog locally and to a remote syslog server:
options {
long_hostnames(off);
sync(0);
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_mail { facility(mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, mail); };
filter f_monitoring { not match("(did not issue)|(10.100.100.15)"); };
destination authlog { file("/var/log/auth.log"); };
destination cron { file("/var/log/cron"); };
destination mail { file("/var/log/maillog"); udp("10.100.100.250"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_mail); filter(f_monitoring);
destination(mail); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); destination(console_all); };
Here's a client that logs ldap only to a remote syslog server:
options {
long_hostnames(off);
sync(0);
stats(43200);
};
source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_cron { facility(cron); };
filter f_ldap { facility(local4); };
filter f_mail { facility(mail); };
filter f_messages { level(info .. warn)
and not facility(auth, authpriv, cron, mail, local4); };
destination authlog { file("/var/log/auth.log"); };
destination cron { file("/var/log/cron"); };
destination ldap { udp("10.100.100.250"); };
destination mail { file("/var/log/maillog"); };
destination messages { file("/var/log/messages"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_ldap); destination(ldap); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); destination(console_all); };
--
Regards... Todd
I've visited conferences where the wireless LAN was deemed "secure" by
the organisation because they had outlawed sniffers. --Neils Bakker
Linux kernel 2.6.12-12mdksmp 3 users, load average: 0.00, 0.03, 0.01
|