On sending all syslog messages to one file
Over on Twitter, I had a view on where syslog messages should go:
Tired sysadmin take: Different sorts of syslog messages going to different places are a mistake. Throw it all into /var/log/allmessages and I'll sort it out myself.
Like many Twitter takes of mine, in retrospect this one is heartfelt but a little bit too extreme as presented. Specifically, I think you should log all syslog messages to one place, but also log some sorts of messages to their own additional places so you can look through them more easily.
In the old days, I used to carefully curate my syslog.conf so that
every different syslog facility had its own different file. Often,
the net result of this is that I would end up using
grep on every
current syslog file in
/var/log because I'd forgotten (or never
knew) what facility a given program logged under. Trying to predict
what facility a program will use is often almost as futile as
predicting what priority level messages will be logged under.
(This is worse if you rely on the Unix vendor stock syslog.conf instead of customizing it. Unix vendors are inevitably different from each other, and some of them have rather strange ideas of what should go where.)
All of this leads to the tired sysadmin take of putting everything
into one file (
/var/log/allmessages is what I prefer) and then
searching it. An
allmessages file is the brute force solution to
unpredictable programs and Unix vendor variability, and it also
makes sure everything gets logged.
But sending all syslog messages to only a single place is a little
bit of overkill. Despite my tired take, there are often syslog
facilities that it's sensible to also log to separate files, so you
can look at just them.
The obvious case is kernel messages, and it's so obvious that
journalctl has a dedicated flag to show you only kernel
messages. If I was starting a syslog configuration from scratch, I
would also have a log file dedicated to "auth" and "authpriv"
messages, one dedicated to "mail" messages, and on my own systems,
one dedicated to "daemon" messages. Everything would still go to
allmessages; these files are in addition to it.
(And on some systems you might opt to have specific programs log to specific facilities, like "user" or "local0", and have specific files so you can monitor and see the activities of just those programs.)
Sending all syslog messages to an
allmessage file is a blunt
hammer, and like all blunt hammers it's possible to overuse it.
Being able to scan through a single file that has everything has a
lot of positive features, but not everything is best served by
searching for it through a giant file. Sometimes you want both