Logging systems messages to a remote loghost server

[djr111]

Since working with syslog is as enjoyable as getting teeth pulled out without the drugs, I thought I would ask for input and help on what I am doing...


I have a dedicated loghost server setup, i'm in the process of configuring all the other hosts to send their messages to my loghost, my questions are:

1) even though my loghost server is receiving logs as it should from hosts configured to send to it, they are getting sent to /var/adm/messages. Is there a way to change that?



2) what suggestions do any of you have on the priorities that should be in place to capture that happy medium of info.

even though below, I beleive it is suppose to send it to /var/log/syslog, it does not, instead it gets put into /var/adm/messages on my loghost server.


entry in /etc/syslog.conf.....


*.info;mail.none ifdef(`LOGHOST', /var/log/syslog, @myskool.ca.edu)



thanks
David

 

[Annihilannic]

Regarding 1) I could never figure out a way to do that. The standard syslog found on most flavours of Unix is so lacking in configurability (is that a word) I hardly see why they bothered with a configuration file. You'd think it'd be an obvious thing to include to allow you to filter by the source host. I'd recommend either setting up a Linux box with a fancier syslogd, or perhaps replacing the one on Solaris with another more flexible one for your loghost.

For 2), did you create the log file first (syslogd won't do that), and did you kill -HUP or restart syslogd to pick up the configuration changes? Note that you can use logger -p facility.level "a test message" to conveniently test your rules.

Annihilannic.

 

[djr111]

Hi Annihilannic,


I put a work around in for question 1.

for question 2,

as of now, my systems are logging as I expect them to the loghost, the thing is, some servers send it to /var/log/syslog, others (most) to /var/adm/messages. For the damm of me I do not know why, they are have the exact same configs.



I guess if I want to really do this right, I would use syslog-ng instead.


thanks
David

 

[Annihilannic]

1) Care to share it with is?

2) Are exactly identical messages from different systems getting sent to the different log files? By identical I mean having the same facility and level?

What has exactly the same configs... the different servers? Or the /var/adm/messages and /var/log/syslog files in /etc/syslog.conf? Some examples of the messages that are behaving unexpectedly and copies of the two relevant lines from syslog.conf would help...

Annihilannic.

 

[djr111]

Hi Annihilannic,

my work around is nothing big, with a script I'm just creating a temporary landing spot to concat the two files together, then pulling out the data I need.

What I mean by the same config is only that I am using the same entries in the /etc/syslog.conf.

I'm not really sure it is worth the time since I was able to achieve my goal with work arounds.

thanks
David