beautypg.com

2 message filtering, 2 log consolidation overview, 1 improved log consolidation – HP Linux Server Management Software User Manual

Page 46

background image

Table 3-2 syslog Facilities Messages (continued)

Description

Message

USENET news subsystem.

LOG_NEWS

Messages generated internally by syslogd.

LOG_SYSLOG

Generic user-level messages.

LOG_USER (default)

UUCP subsystem.

LOG_UUCP

3.1.2 Message Filtering

Using /etc/syslog.conf, messages can be filtered based on their priority level and facility.
Messages can be directed to:

Specific log files

The console

A specified user. The message is sent to the user's terminal if the user is logged in.

All logged-in users

Forwarded to remote systems. For more information, see the

“Log Consolidation Overview”

(page 46)

.

See the syslogd(8) manpage for additional information on configuring message filters.

3.2 Log Consolidation Overview

Log forwarding is a feature of the standard UNIX syslogd. In addition to logging messages to
the local host's log files, syslogd can forward log messages to one or more remote systems.
These systems are referred to as log sinks or log consolidation servers.

Log consolidation offers benefits such as the following:

Easier log file analysis - The centralized log provides a single location for the administrator
to perform log file analysis. It offers single view of events that impact multiple systems.

Increased security - A security breach might compromise the local logs but not the centralized
copy. The log consolidation system can be hardened in ways that are likely to be inappropriate
for log forwarding clients.

Simplified archiving of logs - It is sometimes simpler to archive a set of centralized logs
rather than per-system logs.

There are several disadvantages of using the standard syslogd on a log consolidation server:

syslogd

supports forwarding using UDP only. The Universal Datagram Protocol (UDP)

is a "connectionless" protocol and does not offer flow control or guaranteed delivery of
messages. As such, it is possible for forwarded log messages to be lost.

The filtering features of syslogd are quite simple: you can filter only on a message’s facility
and priority.

A log consolidation system represents a single point of failure. If the system is unavailable,
the messages forwarded from clients are lost. Note that the messages still exist on the
individual client systems. They are lost only from the consolidated log.

3.2.1 Improved Log Consolidation

The Distributed Systems Administration Utilities (DSAU) use syslog-ng, or syslog “Next
Generation,” to address the weaknesses of the traditional syslogd mentioned above.

syslog-ng

is an open source syslogd replacement. It performs all the functions of the standard

syslogd

in addition to providing features such as the following:

46

Consolidated Logging

See also other documents in the category HP Software: