Linux – remote monitoring of linux logs

linuxmonitoringsyslog

I would like to monitor syslog logs on few dozens of linux servers. In ideal world I'd prefer pull method where central monitoring server collects once per day logs from all machines via ssh, applies common and per-server rules and reports about any unexpected log entries.

Do you have any suggestions?

I would prefer not to use centralized syslog server.

I've looked at ossec, again I would prefer to use ssh for all the communication and would prefer to avoid installing any additional tools on monitored servers

Best Answer

I'm not sure of any turn-key application/solution for this but you could easily use rsyslog on your central monitoring server with the imfile module, which can monitor (and alert via ommail module and conditionals) on arbitrary log files that could be pulled in from your Linux servers via rsync and cron.

I'm using rsyslog as a central syslog server and using ommail to send me alerts on various events from my edge firewall, Squid proxy, core switch, etc. Works well.

Related Solutions

Linux – Viewing logs on a remote linux server

If the log files are being generated on the client server via the syslog facility then the best way is to setup the clients syslog daemon to forward those logs to a seperate host. For example, if I have an internal name syslog.private which points to the remote server that I want to receive the log entries. I can add the following line to the /etc/syslog.conf on the client server.

*.*          @syslog.private

and then restart the syslog daemon on the client

service syslog reload

This will cause every entry that passes through the clients syslog to be sent across the wire to syslog.private and if that machine is configured correctly, the entries will be available there as well. In RedHat systems this is controlled by the /etc/sysconfig/syslog file. Make sure the -r option is present

% grep "SYSLOGD" /etc/sysconfig/syslog 
SYSLOGD_OPTIONS="-m 0 -r"

and then restart the syslog daemon on the receiving server.

You can also control what is forwarded to the remote server by adding exclusions, see the example below

*.*;mail.none   @syslog.private

Which says forward everything to syslog.private with the exception of anything sent to the mail facility.

If this solution works out for you, you may consider one of the alternate syslog implementations like rsyslog, or syslog-ng, which provide extra logging and storage options.

Php – Centralizing PHP error logging with syslog

Yes, I've done this. It works well, and doesn't have any real gotchas. Performance isn't an issue unless you're logging so many errors that you really want to be fixing some of them anyway, or you're logging to a really remote network location (which is a bad idea for all sorts of reasons).

Best Answer

Related Solutions

Linux – Viewing logs on a remote linux server

Php – Centralizing PHP error logging with syslog

Related Topic