Table 3-2 syslog Facilities Messages (continued)

Message

Description

LOG_MAIL

Mail subsystem.

 

 

LOG_NEWS

USENET news subsystem.

 

 

LOG_SYSLOG

Messages generated internally by syslogd.

 

 

LOG_USER (default)

Generic user-level messages.

 

 

LOG_UUCP

UUCP subsystem.

3.1.2 Message Filtering

Using /etc/syslog.conf, messages can be filtered based on their priority level and facility. Messages can be directed to:

Specific log files

The console

A specified user. The message is sent to the user's terminal if the user is logged in.

All logged-in users

Forwarded to remote systems. For more information, see the “Log Consolidation Overview” (page 42).

For more information on configuring message filters, see the syslogd(8) manpage.

3.2 Log Consolidation Overview

Log forwarding is a feature of the standard UNIX syslogd. In addition to logging messages to the local host's log files, syslogd can forward log messages to one or more remote systems. These systems are referred to as log sinks or log consolidation servers.

Log consolidation offers benefits such as the following:

Easier log file analysis - The centralized log provides a single location for the administrator to perform log file analysis. It offers single view of events that impact multiple systems.

Increased security - A security breach might compromise the local logs but not the centralized copy. The log consolidation system can be hardened in ways that are likely to be inappropriate for log forwarding clients.

Simplified archiving of logs - It is sometimes simpler to archive a set of centralized logs rather than per-system logs.

There are several disadvantages of using the standard syslogd on a log consolidation server:

syslogd supports forwarding using UDP only. The Universal Datagram Protocol (UDP) is a "connectionless" protocol and does not offer flow control or guaranteed delivery of messages. As such, it is possible for forwarded log messages to be lost.

The filtering features of syslogd are quite simple: you can filter only on a message’s facility and priority.

A log consolidation system represents a single point of failure. If the system is unavailable, the messages forwarded from clients are lost. Note that the messages still exist on the individual client systems. They are lost only from the consolidated log.

3.2.1Improved Log Consolidation

The Distributed Systems Administration Utilities (DSAU) use syslog-ng, or syslog “Next Generation,” to address the weaknesses of the traditional syslogd mentioned above.

syslog-ngis an open source syslogd replacement. It performs all the functions of the standard syslogd in addition to providing features such as the following:

42 Consolidated Logging