SuSE Centralized Syslog-ng

[jantman]

I have about eight boxes running. Most of them are SuSE - two 9.3 and five 10.2. There's also one IPcop box thrown in, and Solaris, Ubuntu, and FreeBSD on the way.

I'm really happy with the SuSE default syslog-ng configuration, how it accurately separates all of the logs into files based on source or level (mail, warn, acpi, etc.).

However, I want to setup a centralized logging server. All of the documentation I can find on doing this with syslog-ng tells about creating one file per server per day, like /var/log/$HOST/$HOST-$YEAR-$MONTH-$DAY.log.

Is there any simple way to preserve the SuSE default files (mail, messages, warn, etc.) but just put them in a host-specific directory, i.e. on the centralized server I'd have:
/var/log/HOST1/{messages, mail, warn, etc.}
/var/log/HOST2/{messages, mail, warn, etc.}
/var/log/HOST3/{messages, mail, warn, etc.}
etc.
and also local in the default way, like
/var/log/{messages, mail, warn, etc.}

Is there any way to do this without having to duplicate the destinations for every host, or even every source/service?

[harner]

Hmmm it sounds like Cacti's Haloe plugin. Do you have Cacti set up on the network? It is truely an awesome utility. Check out some screen shots on the web. The plugins can be found at www.cactiusers.org !

[jantman]

I had cacti running in the past, but with only two SNMP-enabled boxes (router/fw and switch) it didn't do a lot for me...

I'd really rather just stick with syslog-ng and configure it there. I don't want any analysis, I already have scripts for that. I just want all of the logs from all of the systems to end up on one box, but with the same structure they used to have.

If all else fails, I'll setup an NFS read-only mount from each box's /var/log to a directory on the central server, but that only handles the analysis part, not the security aspect of having centralized logs.

[gogalthorp]

Why not just periodicly run a script to copy then delete the logs? It could either be run on each box or on the centeral server.

[jantman]

The log analysis scripts that I currently run, and want to run, require the logs to be realtime.

I know that syslog-ng is supposed to do this, but as far as I can see, it would mean adding a LOT of definitions.

Given that the network is relatively secure, I don't have a big issue with doing a root-only, read-only NFS export of all of the hosts' /var/log directories, but that doesn't provide the security of having logs stored on a remote machine for later analysis.

[jt2ga65]

I think you answered your own question. I was searching for something else, and just happened upon your question, though.

What I would do, and in fact what we DO here, is separate out the important logs per host (or group) and facility and our requirements for the logs.

We have 20 mail hosts that all we dump their maillog and messages to two combined log files, and about 80 network performance testing servers that dump to a common file, and about a dozen more that dump to individual files. We also pull out the auth and authpriv facilities from all servers, and dump that to a secure location.

We also have all out Juniper, Cisco, Extreme, Riverstone, Adtran, etc network devices, about 3000 of them, dumping into respective files based on device type and purpose.

Some logs we roll weekly, some we roll daily, and we keep them all for a year.

The nice thing about syslog-ng, is that you can do all of this based on the properties of the log message, including the host, the facility, the severity, the program and the contents of the message.

Having to write 5 or 10 rules for each host really shouldn't be a deterring factor. Once you have written it once, all you have to do is copy your template and so a search and replace on it.

-jt2

[jantman]

Yeah, I guess that's the only option. I'm just surprised that I can't find any tools to automate this process. At the moment, I have about a dozen hosts that I want centralized logging for, and probably about 10 logs per host.

Unfortunately, I can't find anything about an include declaration in the syslog-nf.conf man page, which would make things much easier.

I guess, in best-case scenario, I could copy each hosts' file, modify it, and tack it on the end of the config file for the centralized logging host.

Depending on how much of this I have to do, perhaps I'll end up writing a syslog-ng config file parser for Python, or trying to find one.

Ideally, I'd like the centralized server to maintain a mirror of the *exact* /var/log directory for each host.

[gogalthorp]

Couldn't you just replace the local log directory with a symlink to a directory on the log server?? Then all log writes would go direct to the server.

[jantman]

Well I *could*, but then I'd lose my local copies of the logs.