2.10. syslog tuning tips

syslog can forward log messages from any number of programs over a network. The less often this occurs, the larger the pending transaction is likely to be. If the transaction is very large an I/O spike can occur. To prevent this, keep the interval reasonably small.

Using syslogd for system logging.

The system logging daemon, called syslogd, is used to collect messages from a number of different programs. It also collects information reported by the kernel from the kernel logging daemon klogd. Typically, syslogd will log to a local file, but it can also be configured to log over a network to a remote logging server.
  1. To enable remote logging, you will first need to configure the machine that will receive the logs. syslogd uses configuration settings defined in the /etc/sysconfig/syslog and /etc/syslog.conf files. To instruct syslogd to receive logs from remote machines, open /etc/sysconfig/syslog in your preferred text editor and locate the SYSLOGD_OPTIONS= line.
    # Options to syslogd
    # -m 0 disables 'MARK' messages.
    # -r enables logging from remote machines
    # -x disables DNS lookups on messages recieved with -r
    # See syslogd(8) for more details
    ...[output truncated]...
  2. Append the -r parameter to the options line:
    SYSLOGD_OPTIONS="-m 0 -r"
  3. Once remote logging support is enabled on the remote logging server, each system that will send logs to it must be configured to send its syslog output to the server, rather than writing those logs to the local filesystem. To do this, edit the /etc/syslog.conf file on each client system. For each of the various logging rules defined in that file, you can replace the local log file with the address of the remote logging server.
    # Log all kernel messages to remote logging host.
    kern.*     @my.remote.logging.server
    The example above will cause the client system to log all kernel messages to the remote machine at @my.remote.logging.server.
  4. It is also possible to configure syslogd to log all locally generated system messages, by adding a wildcard line to the /etc/syslog.conf file:
    # Log all messages to a remote logging server:
    *.*     @my.remote.logging.server


Note that syslogd does not include built-in rate limiting on its generated network traffic. Therefore, we recommend that remote logging on MRG Realtime systems be confined to only those messages that are required to be remotely logged by your organization. For example, kernel warnings, authentication requests, and the like. Other messages should be locally logged instead.
Related Manual Pages
For more information, or for further reading, the following man pages are related to the information given in this section.
  • syslog(3)
  • syslog.conf(5)
  • syslogd(8)