Syslog testing
I want to do some testing with syslog and do some fine tuning of the logging. Which approach sounds more reasonable, collecting by facility or collecting by level/priority? For example:
auth.* /var/log/auth_messages
kern.* /var/log/kern_messages
daemon.* /var/log/daemon_messages
and so forth
OR
*.=alert /var/log/alert_messages
*.=err /var/log/error_messages
*.=warning /var/log/warning_messages
As always, for those that have "been there, done that" and have your horror stories or valuable insight to offer, I am all ear. :)
Responses
Hiya,
Personally, I'd say this comes down what information you want to be able to capture. My preference is to collect by facility, because it suited my style of reporting to the business, during my admin days.
You may also want to check out https://access.redhat.com/blogs/759303/posts/880333 where we announced the Red Hat Access Labs Log Analyser: https://access.redhat.com/labs/logreaper/
There are also some third party log analyzer tools that negate the need to split your log, by providing more granular reports.
vbr mark
It's totally up to you. Having worked in the RH world since Fedora Core 1, I'm partial to the standard locations and then I customize as needed for particular applications.
Keep in mind that rsyslog (available in every supported version of RHEL, including RHEL5) is completely customizable -- you can filter by combination of facility, priority, application name, message content, etc etc. (See man rsyslog.conf or Filter Conditions doc.)
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
