Discussion:
metalog vs. syslog-ng
Chris Fisher
2005-01-03 22:22:17 UTC
Permalink
Hello,

This might be a well covered topic, but I have been having some issues
with Gentoo forums, so I thought I would post here..

Can any one out there tell me if they have been using syslog-ng, then
migrated to metalog.. It seems to have a slick out-of the box setup.
Also, we have a central syslog-ng server, can any one tell me how to
configure metalog to remotely log to this box? I assume syslog-ng will
accept logs from a metalog syslog server?

Thanks!
-Chris
Jeroen Geilman
2005-01-04 12:26:35 UTC
Permalink
Post by Chris Fisher
Hello,
This might be a well covered topic, but I have been having some issues
with Gentoo forums, so I thought I would post here..
Can any one out there tell me if they have been using syslog-ng, then
migrated to metalog..
Similar.. I have used both.
Post by Chris Fisher
It seems to have a slick out-of the box setup.
Metalog setup is indeed very easy, especially the syntax for monitoring
trivial log sources - it's as easy as adding a service name or PCRE
expression and specifying a log file.
Post by Chris Fisher
Also, we have a central syslog-ng server, can any one tell me how to
configure metalog to remotely log to this box?
Any way you like - as syslog service or through a socket, your call.
Post by Chris Fisher
I assume syslog-ng will
accept logs from a metalog syslog server?
Sure - loghost to loghost does not depend on the logging daemon used.

That said, I have recently decided to try syslog-ng again for a change,
since it is more similar to the traditional sysklogd setup, which a lot
more programs accept and understand.

The one thing metalog definitely has going for it is: automatic log rotation!

You have to experience that to enjoy it fully... ;-)
--
All your bits are belong to us.
Joey McCoy
2005-01-04 13:54:04 UTC
Permalink
I have to say, Metalog's automatic log rotation is a dream come true after
using syslog-ng, but logwatch (so far from what I've seen) does not do
very well with metalog, so I've switched back to syslog-ng for that only
reason. I've written myself a weekly log rotation script. It's
unfortunate, but only a small inconvenience in order to utilize the power
of logwatch. ;)
Post by Jeroen Geilman
Post by Chris Fisher
Hello,
This might be a well covered topic, but I have been having some issues
with Gentoo forums, so I thought I would post here..
Can any one out there tell me if they have been using syslog-ng, then
migrated to metalog..
Similar.. I have used both.
Post by Chris Fisher
It seems to have a slick out-of the box setup.
Metalog setup is indeed very easy, especially the syntax for monitoring
trivial log sources - it's as easy as adding a service name or PCRE
expression and specifying a log file.
Post by Chris Fisher
Also, we have a central syslog-ng server, can any one tell me how to
configure metalog to remotely log to this box?
Any way you like - as syslog service or through a socket, your call.
Post by Chris Fisher
I assume syslog-ng will
accept logs from a metalog syslog server?
Sure - loghost to loghost does not depend on the logging daemon used.
That said, I have recently decided to try syslog-ng again for a change,
since it is more similar to the traditional sysklogd setup, which a lot
more programs accept and understand.
The one thing metalog definitely has going for it is: automatic log rotation!
You have to experience that to enjoy it fully... ;-)
--
All your bits are belong to us.
Konstantin V. Gavrilenko
2005-01-04 16:21:40 UTC
Permalink
Post by Joey McCoy
I have to say, Metalog's automatic log rotation is a dream come true after
using syslog-ng, but logwatch (so far from what I've seen) does not do
very well with metalog, so I've switched back to syslog-ng for that only
reason. I've written myself a weekly log rotation script. It's
unfortunate, but only a small inconvenience in order to utilize the power
of logwatch. ;)
what stops you setting up the destination in such a way in syslog-ng.conf?

# NETWORK LOGGING
destination d_fmnet {
file("/var/log/HOSTS/$HOST/$YEAR-$MONTH/$HOST-$FACILITY-$YEAR$MONTH"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);

IMHO, it is even better than logrotate.
--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web: http://www.arhont.com
http://www.wi-foo.com
e-mail: ***@arhont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com
Andy Dustman
2005-01-04 18:23:03 UTC
Permalink
On Tue, 04 Jan 2005 16:21:40 +0000, Konstantin V. Gavrilenko
Post by Konstantin V. Gavrilenko
Post by Joey McCoy
I have to say, Metalog's automatic log rotation is a dream come true after
using syslog-ng, but logwatch (so far from what I've seen) does not do
very well with metalog, so I've switched back to syslog-ng for that only
reason. I've written myself a weekly log rotation script. It's
unfortunate, but only a small inconvenience in order to utilize the power
of logwatch. ;)
what stops you setting up the destination in such a way in syslog-ng.conf?
Nothing, obviously. :)
Post by Konstantin V. Gavrilenko
# NETWORK LOGGING
destination d_fmnet {
file("/var/log/HOSTS/$HOST/$YEAR-$MONTH/$HOST-$FACILITY-$YEAR$MONTH"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
);
Here's how I do it: The clients all log remotely (via TCP, for
reliability), plus they keep a week's worth of logs locally:

destination messages { file("/var/log/messages.$WEEKDAY"
remove_if_older(100000)); };
destination remote { tcp("syslog"); };
log { source(src); destination(messages); };
log { source(src); destination(remote); };

The central server breaks them up into hourly log files, which are
readable by system administrators (wheel group):

destination messages {
file("/var/log/messages.d/$YEAR/$MONTH/$DAY/$HOUR.log"
create_dirs(yes)
group(wheel)
dir_group(wheel)
dir_perm(0770)
perm(0640)
template("$HOST $ISODATE
[$FACILITY:$PRIORITY:$PROGRAM] $MESSAGE\n")
);
};

I also use logsentry to monitor the logs, though I have been itching
to try tenshi. In /etc/logcheck/logcheck.sh, I gather up the logs like
this:

LOGDIR="/var/log/messages.d"

find $LOGDIR -path "$LOGDIR/.snapshot/\*" -prune \
-o -type f -name '*.log' -mtime -1 -print \
| xargs -r -n1 $LOGTAIL > $TMPDIR/check.$$

Logs are actually written on a NetApp Filer, thus the bit about
pruning the .snapshot directory. I also do this at the end to compress
logs older than a day, and remove old .offset files (created by
logtail):

# Clean Up
rm -f $TMPDIR/check.$$ $TMPDIR/checkoutput.$$ $TMPDIR/checkreport.$$
find $LOGDIR -path "$LOGDIR/.snapshot/\*" -prune \
-o -type f -name '*.log' -mtime +1 -print \
| xargs -r bzip2
find $LOGDIR -path "$LOGDIR/.snapshot/\*" -prune \
-o -type f -name '*.log.offset' -mtime +1 -print \
| xargs -r rm

No cron jobs (other than to run logsentry) and no sending signals to
daemons to close and reopen files.
--
Computer interfaces should never be made of meat.

Using GMail? Setting Reply-to address to <> disables this annoying feature.
Ow Mun Heng
2005-01-05 04:44:40 UTC
Permalink
Post by Andy Dustman
On Tue, 04 Jan 2005 16:21:40 +0000, Konstantin V. Gavrilenko
Here's how I do it: The clients all log remotely (via TCP, for
[SNIP]
Post by Andy Dustman
No cron jobs (other than to run logsentry) and no sending signals to
daemons to close and reopen files.
Cool script. I'll keep it in my treasure chest
--
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz
98% Microsoft(tm) Free!!
Neuromancer 12:44:02 up 3:42, 6 users,
load average: 0.55, 0.57, 0.42
Smith, Adam
2005-01-04 13:58:23 UTC
Permalink
Log roation is quick and easy with logrotate

-----Original Message-----
From: Joey McCoy [mailto:***@cfl.rr.com]
Sent: Tuesday, January 04, 2005 8:54 AM
To: gentoo-***@lists.gentoo.org
Subject: Re: [gentoo-server] metalog vs. syslog-ng


I have to say, Metalog's automatic log rotation is a dream come true after
using syslog-ng, but logwatch (so far from what I've seen) does not do
very well with metalog, so I've switched back to syslog-ng for that only
reason. I've written myself a weekly log rotation script. It's
unfortunate, but only a small inconvenience in order to utilize the power
of logwatch. ;)
Post by Jeroen Geilman
Post by Chris Fisher
Hello,
This might be a well covered topic, but I have been having some issues
with Gentoo forums, so I thought I would post here..
Can any one out there tell me if they have been using syslog-ng, then
migrated to metalog..
Similar.. I have used both.
Post by Chris Fisher
It seems to have a slick out-of the box setup.
Metalog setup is indeed very easy, especially the syntax for monitoring
trivial log sources - it's as easy as adding a service name or PCRE
expression and specifying a log file.
Post by Chris Fisher
Also, we have a central syslog-ng server, can any one tell me how to
configure metalog to remotely log to this box?
Any way you like - as syslog service or through a socket, your call.
Post by Chris Fisher
I assume syslog-ng will
accept logs from a metalog syslog server?
Sure - loghost to loghost does not depend on the logging daemon used.
That said, I have recently decided to try syslog-ng again for a change,
since it is more similar to the traditional sysklogd setup, which a lot
more programs accept and understand.
The one thing metalog definitely has going for it is: automatic log
rotation!
You have to experience that to enjoy it fully... ;-)
--
All your bits are belong to us.
Loading...