I've got about 30 servers, and I just use straight up syslog to send all the logs to a single logging server. For backup, all of the machines are also configured to store their own logs locally for a few days, using logrotate to take care of the rotation and deletion of old logs.
Each of my application servers runs a small perl script to send their logs to syslog, which then forwards on to the loghost (perl script below).
Then on the loghost we have some custom scripts that are similar to logcheck that basically watch the incoming logs for anything suspicious.
We also have all of the email from every host going to one place, so that if any program complains that way, we get all the messages. This could theoretically go to a single mailbox that a program could act on and analyze.
Here is my logging perl script. It works by piping the program's output into it, and then it syslogs the output and spits it back out so you can send it elsewhere (I send to multilog). You can also give it the -q option to just go to syslog.
#!/usr/bin/perl
use Sys::Syslog;
use Getopt::Long;
$SERVER_NAME = `hostname`;
chomp $SERVER_NAME;
$FACILITY = 'local0';
$PRIORITY = 'info';
GetOptions ('s=s' => \$SERVER_NAME, 'f=s' => \$FACILITY, 'p=s' => \$PRIORITY, 'q+' => \$quiet);
#print "$SERVER_NAME\n$FACILITY\n$PRIORITY\n";
#Sys::Syslog::setlogsock('unix');
openlog ($SERVER_NAME,'ndelay',$FACILITY);
if (!($quiet)) {syslog($PRIORITY,"Logging Started -- Logger version 1.1");}
$| = 1;
while (<>) {
if (!($quiet)) {print $_ unless $_ =~ /^\s+$/};
chomp;
syslog($PRIORITY,$_) if $_;
}
closelog;
$| = 0;
The LOCALn
facilities are available for any local use and can vary pretty widely from site to site.
I guarantee every one of the 8 available are used by something, so if you want to avoid conflicts my best advice is to log all 7 to separate logs and pick the one that nothing else seems to be using.
Some you missed (program defaults - may be changed locally so double-check):
LOCAL0
is used by postgresql (if configured to log to syslog)
LOCAL2
is used by sudo (if configured to log to syslog)
LOCAL3
is used by some versions of SpamAssassin
- This is often changed by the local admin to log to
mail
instead
LOCAL5
is sometimes used by the Snort IDS
- I don't know if this is a default or just coincidence, but I've seen it on several Snort installations
Best Answer
Splunk http://www.splunk.com/
Up to 500m data is free, any more requires a license key. It will analyze many different kinds of log files, and has plugins for reading other kinds of log files outside of the standard (syslog and apache, and a few others I believe). It has a very nice interface, and is very fast.