Syslog best practice
 
Home Help Login Register
*
Welcome, Guest. Please login or register. January 09, 2009, 10:34:40 PM


Login with username, password and session length


Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Syslog best practice  (Read 1480 times)
0 Members and 1 Guest are viewing this topic.
wwells
Full Member
***
Posts: 18
« Reply #3 on: May 31, 2007, 01:36:09 AM »
Generally, I like to set up three entries:

*.warning;auth.none   /var/adm/syslog
auth.info                   /var/adm/authlog
*.info                       @loghost

The first logs everything at warning level or higher for all facilities except authentication messages in a local file. You would adjust the level based on your general needs or perhaps break it down into individual facilities.

The second logs auth events at info level or higher. The permissions on the authlog file get set much more restricted that on the general syslog file.

Finally, everything at info level or higher gets sent to a remote syslog server.

The key to this configuration is that the remote syslog server needs to have a big disk area to store a lot of messages (especially at a large site) and you need to have very good file rotation and archiving configured on it.
Logged
Michael
Administrator
Hero Member
*****
Posts: 539
« Reply #2 on: May 24, 2007, 08:41:20 AM »
I agree that it is hard to know what is really necessary ahead of time. A lot is probably personal preference. And personally I dont like the amount of information lost when switching to .warn level.

The logs sources I like best (rather than *) are mqueue (which is where most seem to post), auth (for login messages), and local4 (used by the ipsec filter programs) and local7 (which I use with a modified version of tcp_wrapper; by default tcp_wrapper uses mqueue). daemon is very useful when debugging named and dhcp services.

I won't call it best practice, but I have several files - sometimes two for one queue, to have a .info/.debug level of detail, and a .warn for a longer history.

What I do consider a best practice is to have a separate filesystem for the logs (I use /logs). You dont want a regular filesystem blocking because your logs are generating too much information. And if I recall correctly, syslog stops writing log information if a file system gets too full. (I recall reading that somewhere).
Logged
ValentineSmith
Full Member
***
Posts: 29
« Reply #1 on: May 22, 2007, 10:08:57 PM »
There is no "best" configuration.
This is very site specific.
I would recommend starting with

*.debug     /var/adm/messages

and work your way up the severity levels.
If "debug" is too verbose, try "warning" or "err".
Logged
lson
Registered
*
Posts: 1
« on: May 22, 2007, 01:17:24 PM »
Do anyone of you have a good working syslog configuration that create just enough information for a working day to day administration (Best Practice).

/Lars
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM
Page created in 3.2 seconds with 18 queries.

FastPath

HowTo
New in AIX6
RBAC
Security
WPAR
Service Bulletins

InfoCenters

AIX 6.1
AIX 5.3
AIX 5.2
AIX 5.1
- - - - - - -
Fix Central
HMC Downloads
IBM Firmware/LIC
VIOS Support
- - - - - - -
Hardware Documents
PowerHA (HACMP)
Tivoli Manuals
- - - - - - -
IBM Training



eXTReMe Tracker
Terms of Use and Privacy and Security Policies
Copyright 2001-2008 Michael Felt and ROOTVG.NET