Can Loghost's syslogd steer multiple remote /var/adm/messages to multiple files?

Can Loghost's syslogd steer multiple remote /var/adm/messages to multiple files?

Post by Brendan Cho » Sat, 08 May 1999 04:00:00



QUESTION:

Is it possible to have one type of error messages from multiple machines
write to several different files on one loghost? I'm sure I'm not the first
sysadmin not to want error messages from different machines mixed up in one
/var/adm/messages file.

SETUP:

Currently I have several machines ( HostX ) successfully sending their
"/var/adm/messages" to one loghost (let's call Host1).

Oh HostX's /etc/syslog.conf, I have:


On Host1, /etc/syslog.conf is unchanged:

*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

I tried to do the following on HostX:

*.err;kern.debug;daemon.notice;mail.crit        ifdef(`LOGHOST',

...but all error messages still end up in "/var/adm/messages" on Host1.

Is the problem with the line on Host1 that might be steering ALL error
messages "/var/adm/messages"?

This is really what I want to see on Host1:

/var/adm/messages
/var/adm/messages.Host1
/var/adm/messages.Host2
/var/adm/messages.Host3
...
,etc, etc...

If syslogd or some other system facility cannot divide the messages file, I
will write a script to do this for me.

Brendan

 
 
 

Can Loghost's syslogd steer multiple remote /var/adm/messages to multiple files?

Post by Ashish Desa » Mon, 10 May 1999 04:00:00


you can't do that. However if you are going to write something anyway you have
2 choices

1. Write a script that parses the messages file and splits in into multiple
files.
2. Write a replacement "syslogd" listerner program that listen to the syslog
port
instead of "syslogd" and does whatever you want. Syslog is bound to udp and
every message
sent by a machine is contained within one packet so parsing becomes very easy.
The only catch here is I am not sure how the local machine (your loghost) will
log messages that
it generates. Solaris has a DOOR interface to syslog and I am not sure if you
want to implement this.
(write the daemon in PERL you could have it done in a day)!

Ashish


> QUESTION:

> Is it possible to have one type of error messages from multiple machines
> write to several different files on one loghost? I'm sure I'm not the first
> sysadmin not to want error messages from different machines mixed up in one
> /var/adm/messages file.

> SETUP:

> Currently I have several machines ( HostX ) successfully sending their
> "/var/adm/messages" to one loghost (let's call Host1).

> Oh HostX's /etc/syslog.conf, I have:


> On Host1, /etc/syslog.conf is unchanged:

> *.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

> I tried to do the following on HostX:

> *.err;kern.debug;daemon.notice;mail.crit        ifdef(`LOGHOST',

> ...but all error messages still end up in "/var/adm/messages" on Host1.

> Is the problem with the line on Host1 that might be steering ALL error
> messages "/var/adm/messages"?

> This is really what I want to see on Host1:

> /var/adm/messages
> /var/adm/messages.Host1
> /var/adm/messages.Host2
> /var/adm/messages.Host3
> ...
> ,etc, etc...

> If syslogd or some other system facility cannot divide the messages file, I
> will write a script to do this for me.

> Brendan



 
 
 

Can Loghost's syslogd steer multiple remote /var/adm/messages to multiple files?

Post by Gregory A. Sha » Wed, 12 May 1999 04:00:00



> QUESTION:
> Is it possible to have one type of error messages from multiple machines
> write to several different files on one loghost? I'm sure I'm not the first
> sysadmin not to want error messages from different machines mixed up in one
> /var/adm/messages file.
> SETUP:
> Currently I have several machines ( HostX ) successfully sending their
> "/var/adm/messages" to one loghost (let's call Host1).
> Oh HostX's /etc/syslog.conf, I have:

> On Host1, /etc/syslog.conf is unchanged:
> *.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
> I tried to do the following on HostX:
> *.err;kern.debug;daemon.notice;mail.crit        ifdef(`LOGHOST',

> ...but all error messages still end up in "/var/adm/messages" on Host1.
> Is the problem with the line on Host1 that might be steering ALL error
> messages "/var/adm/messages"?
> This is really what I want to see on Host1:
> /var/adm/messages
> /var/adm/messages.Host1
> /var/adm/messages.Host2
> /var/adm/messages.Host3
> ...
> ,etc, etc...
> If syslogd or some other system facility cannot divide the messages file, I
> will write a script to do this for me.
> Brendan


I believe you're looking at it the wrong way.  You can specify multiple
entries in the syslog.conf file.  For instance:


and another:


Within the same file should log to both.  Note that the number of files in the
syslogd on solaris is generally 21 for some REALLY strange reason.

On my central log server, I have all of the logs broken out into their
respective logs, and, a single log with just the stuff I'm interested in.
Both get a copy of their appropriate information.

YMMV.

--
Greg.

Greg Shaw                              Phone: (303) 673-8273
Storage Technology Corp.               Fax:   (303) 673-2733


"When Microsoft writes an application for Linux, I've Won."
                                        - Linus Torvalds
PGP Fingerprint: F5 9B 8E 1A 9E 21 BA CF  9C D8 F3 7A 17 47 C9 A1