Syslog web interface recommendations

loggingsyslog

We've got a central log server (syslog-ng) and I'd like to provide a slick web interface for viewing the logs. Most of what I've seen are either horribly broken, outdated, or just fugly. I'm not very concerned about analysis, though it would be a bonus. Any recommendations?

Best Answer

Splunk http://www.splunk.com/

Up to 500m data is free, any more requires a license key. It will analyze many different kinds of log files, and has plugins for reading other kinds of log files outside of the standard (syslog and apache, and a few others I believe). It has a very nice interface, and is very fast.

Related Solutions

Linux – How did you implement log management on your servers

I've got about 30 servers, and I just use straight up syslog to send all the logs to a single logging server. For backup, all of the machines are also configured to store their own logs locally for a few days, using logrotate to take care of the rotation and deletion of old logs.

Each of my application servers runs a small perl script to send their logs to syslog, which then forwards on to the loghost (perl script below).

Then on the loghost we have some custom scripts that are similar to logcheck that basically watch the incoming logs for anything suspicious.

We also have all of the email from every host going to one place, so that if any program complains that way, we get all the messages. This could theoretically go to a single mailbox that a program could act on and analyze.

Here is my logging perl script. It works by piping the program's output into it, and then it syslogs the output and spits it back out so you can send it elsewhere (I send to multilog). You can also give it the -q option to just go to syslog.

#!/usr/bin/perl

use Sys::Syslog;
use Getopt::Long;

$SERVER_NAME = `hostname`;
chomp $SERVER_NAME;
$FACILITY = 'local0';
$PRIORITY = 'info';

GetOptions ('s=s' => \$SERVER_NAME, 'f=s' => \$FACILITY, 'p=s' => \$PRIORITY, 'q+' => \$quiet);

#print "$SERVER_NAME\n$FACILITY\n$PRIORITY\n";

#Sys::Syslog::setlogsock('unix');
openlog ($SERVER_NAME,'ndelay',$FACILITY);

if (!($quiet)) {syslog($PRIORITY,"Logging Started -- Logger version 1.1");}

$| = 1;

while (<>) {
    if (!($quiet)) {print $_ unless $_ =~ /^\s+$/};
    chomp;
    syslog($PRIORITY,$_) if $_;
}

closelog;

$| = 0;

Which program defaults uses syslog local[0-7] facilities

The LOCALn facilities are available for any local use and can vary pretty widely from site to site.

I guarantee every one of the 8 available are used by something, so if you want to avoid conflicts my best advice is to log all 7 to separate logs and pick the one that nothing else seems to be using.

Some you missed (program defaults - may be changed locally so double-check):

LOCAL0 is used by postgresql (if configured to log to syslog)
LOCAL2 is used by sudo (if configured to log to syslog)
LOCAL3 is used by some versions of SpamAssassin
- This is often changed by the local admin to log to mail instead
LOCAL5 is sometimes used by the Snort IDS
- I don't know if this is a default or just coincidence, but I've seen it on several Snort installations

Best Answer

Related Solutions

Linux – How did you implement log management on your servers

Which program defaults uses syslog local[0-7] facilities

Related Topic