[Speakers] Re: Centralized Logging

Adam Tauno Williams adam at morrison-ind.com
Tue Feb 14 10:07:38 EST 2006 

> > > > Today I setup centralized logging to a PostgreSQL database,  all the
> > > > servers still log to /var/log as normal but they also send their messages
> > > > to a central server.  Works with both old syslog and new syslog-ng boxes as
> > > > long as the central server is syslog-ng  (I just used the same DB instance
> > > > as my OpenNMS service).
> > > > Anyone interested in this as a presentation?
> > > I'd be interested. I have logs going to a centrallogging server, but
> > > not to a database.
> > Okay,  I'll update my logging presentation and throw it on the schedule
> > at some point.
> Just curious, but what's the advantage(s) of logging to a database over
> standard syslogd text files?  i.e. Why did you do this?

Easier to manage and search mostly.  I left the regular log files in
place,  being rotated by the log rotater.  Having it in a database means
it is really easy to search, from something like an intranet page etc...
without having to worry about gaining access to the log file.  The
hostname/facility/level are broken out into separate columns and you
have real date/time values.  Makes it easy to count how many times a
given message appears in one day, etc...  for reporting infected message
quarantined, etc...

Another instance is the occasional user call whining about how they sent
some e-mail message and the other end claims they never got it.   Making
them shut-up might require multiple greps of log  files on multiple
hosts;  now it is "SELECT * FROM logs WHERE facility = 'mail' AND host
IN ('firewall','sardine','gourd-amber') AND message LIKE ('%
yourstupidfriend at yahoo.com%')"  Then I can tell them that, yep,  the
message went though just fine, both you and your friend are idiots.  

[BTW, the message *ALWAYS* goes through just fine,  but users are
frequently convinced that the system 'lost it'.  My favorite was the
furious arm waving user who had set their SIEVE filter to delete ALL
incoming mail.  I think their is an inverse correlation between how
angry a user becomes when something appears not to work and the
probability that indeed something did not work.]

But you really want to index that table as it appears we generate
250,000+ log messages a day.  So if I keep data for 30 days that will be
~7.5 million records.  Wow.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.kalamazoolinux.org/pipermail/speakers/attachments/20060214/648bc443/attachment.bin

More information about the Speakers mailing list