1 |
On 22/12/13 22:17, Tanstaafl wrote: |
2 |
> Hi all, |
3 |
> |
4 |
> I'm very interested in what are best practices, and what others do as |
5 |
> far as separating out different types of messages in their logs. |
6 |
> |
7 |
> I've always just sent everything to /var/log/messages, and this is not a |
8 |
> very heavily loaded box so it hasn't been a big problem, but I'm working |
9 |
> on a new server and would like to do some separation. |
10 |
> |
11 |
> I'd still like everything to go to /var/log/messages, but I'd like to |
12 |
> also send certain types of messages to different logs to simplify |
13 |
> troubleshooting, etc - ie, I often peruse the logs with: |
14 |
> |
15 |
> egrep '(reject|warning|error|fatal|panic):' /var/log/messages |
16 |
> |
17 |
> But I'd like to actually feed all of those messages to a separate log, |
18 |
> for easier tailing. |
19 |
|
20 |
|
21 |
|
22 |
syslog-ng comes with extensive documentation and a high-quality sysadmin |
23 |
manual is available from Balabit's web site. |
24 |
|
25 |
You need to start there as that spec above is highly bespoke. To do it, |
26 |
you need to examine the content of the log body using a regex, the usual |
27 |
way of filtering logs is by the header fields, not the body. |
28 |
|
29 |
There is no "best practice" as such wrt logging, All that there is, is |
30 |
whatever you consider you need to have. |
31 |
|
32 |
|
33 |
-- |
34 |
Alan McKinnon |
35 |
alan.mckinnon@×××××.com |