Redirecting syslog output for certain processes to a particular file

gangliagmetadsyslog

I must admit to being a complete syslog newbie. I haven't touched it until now, but I use its output on a daily basis, like most of us 🙂

I currently have a problem with the gmetad daemon spamming my /var/log/messages file with messages like the following:

Sep 1 10:09:49 monitor /usr/sbin/gmetad[31752]: RRD_update (/var/lib/ganglia/rrds/Machines/SummaryInfo/example.rrd): illegal attempt to u
pdate using time 1314868188 when last update time is 1314868188 (minimum one second step).

I'm not too worried about the error, what I want to do is redirect these particular messages to another log file (e.g /var/log/gmetad.log). The problem is that there doesn't seem to be any way to direct gmetad's logs to a certain place in its config (and documentation for this particular piece of software seems quite sparse). So I was wondering if it was possible to use the "local" facility in syslog to grab these messages and stick them somewhere else to leave /var/log/messages a bit cleaner.

Can anyone help? Does anyone have any examples for the "local" facilities?

Best Answer

Which syslog daemon do you have ? Syslogd ? syslog-ng ? rsyslog ? The syntax is different for each daemon.

for example in rsyslog, you could do something like

local5.*   /var/log/gmetad.log

{you must find application's facility}

otherwise you could do something like

if $msg contains gmetad then /var/log/gmetad.log

Related Solutions

Linux – Better Logging for Cronjobs and Sending Output to Syslog

In the process of writing this question, I answered myself. So I'll answer myself "Jeopardy-style". This expands on the answer provided by Dennis Williamson.

The following will send any Cron output to /usr/bin/logger (including stderr, which is converted to stdout using 2>&1), which will send to syslog, with a 'tag' of nsca_check_disk. Syslog handles it from there. Since these systems (CentOS and FreeBSD) already have built-in log rotation mechanisms, I don't need to worry about a log like /var/log/mycustom.log filling up a disk.

*/5 * * * * root    /usr/local/nagios/sbin/nsca_check_disk 2>&1 | /usr/bin/logger -t nsca_check_disk

/var/log/messages now has one additional message which says this:

Apr 29, 17:40:00 192.168.6.19 nsca_check_disk: 1 data packet(s) sent to host successfully.

I like /usr/bin/logger , because it works well with an existing syslog configuration and infrastructure, and is included with most Unix distros. Most *nix distributions already do log rotation and do it well.

Linux – the central syslog server appears to discard remote messages

I wasn't clear if you configured syslog on all of your clients or not. Your tcpdump seems to show inbound syslog traffic, but you might want check that you aren't simply seeing traffic from one remote syslog client. Be sure that Syslogd is configured on each client machine as well. You need to add a line which looks something like this, where syslog.example.org is your syslog server:

# Log all messages to central syslog server
*.*     @syslog.example.org

To verify this is working, use the logger(1) utility. I run a command like this on all of my machines in one window, often in a loop like for HOST in ALLOFMYHOSTS; do ssh $HOST 'logger'.....

logger -t stefantest stefantest1

Then in a separate window connected to the syslog, I do a tail -f /var/log/YOURLOGFILE |grep stefantest. This will confirm if syslog itself is working from each host or not. Then, go from there.

Best Answer

Related Solutions

Linux – Better Logging for Cronjobs and Sending Output to Syslog

Linux – the central syslog server appears to discard remote messages

Related Topic