Centralizing syslogs as an easy way to improve your environment

September 30, 2013

If your environment is on the low end of the organized 'DevOps' spectrum, here's an easy improvement that I urge you to make right away: create a central syslog server that all of your machines echo their syslogs to. Disk space is cheap today and if you have an ordinary sized environment you don't need a particularly powerful machine or a particularly fast disk system (at least if you turn off synchronous syslog writes on your log host). Once you've set up the syslog server all you need to do to ship logs off to it is to add the following to everyone's syslog configuration:

*.*   @CENTRAL.SERVER.IP

(I prefer an IP address because it still works if hostname lookups blow up for some reason.)

Modern Linux versions of syslog support putting configuration fragments in a directory (typically /etc/rsyslog.d), so you can just make one and drop it in there; you don't even need to change the system-supplied syslog configuration files.

The syslog server itself should start with a simple configuration. First, log all of each facility's messages to a separate file (you might put all localN facilities in one file, depending). Then also log all messages to a single file; we call it allmessages. Your syslog server should have lots of disk space so you should configure syslog log rotation to keep many days or weeks of logs (trust me, this will be useful). Don't try to be clever by dropping debug messages or sorting things by priority and stuff like that. It's not worth the extra hassle and it's not reliable (plenty of programs log things you want to know at debug priority, or at random other priorities).

(You might wonder about separating things by facilities, but programs are much more consistent about that and it's useful to have a lower volume place to look for things like kernel messages.)

The important thing that this does is that it gives you a single place to get a global view on what happened when (at a system level) and to monitor your systems live if you need to. Over and over again it's been extremely helpful to us to see a coherent cross-system view and timeline of things like kernel error messages from NFS clients and NFS servers, authentication logs from multiple systems, and so on. The allmessages log itself gives us an easy way of seeing all syslog messages from a single machine no matter what random facility they were logged on, or all messages related to a single machine (both from the machine itself and from others interacting with it). Finally, you don't have to try to remember (or find, or fix) the syslog configuration on any particular machine and where it puts what messages; since all messages are shipped off to your central machine you can just look there and be done with it.

Of course this is not perfect. Sending syslog messages to a remote server is not completely reliable in general, things can go wrong with the network while the local disk is okay (although the converse can happen too), and so on and so forth. You can probably do better if you try hard enough. But if you don't have any sort of central logging right now, the perfect is the enemy of the good. Put together a central syslog machine now and improve it later. The benefit of having one right now is worth doing it twice (and worth it being less than perfect).

PS: If you're running enough Unix machines with enough syslog message volume that a central syslog server needs to be a beefy server with ultra-fast networking and many terabytes of disk space and so on, you hopefully already have some sort of central logging solution. If not, all I can suggest is multiple syslog aggregators to at least cluster things together.

PPS: Yes, there are some security concerns about a central syslog server. My personal view is that the security worries are worth the benefit of having a high quality central view.

Written on 30 September 2013.
« Spammers illustrating, well, something
What your User-Agent header should include and why »

Page tools: View Source.
Search:
Login: Password:

Last modified: Mon Sep 30 22:59:00 2013
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.