Bug 435834 - More information required on syslog tuning
More information required on syslog tuning
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: Realtime_Tuning_Guide (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Jon Masters
Jeff Needle
: Documentation
Depends On:
  Show dependency treegraph
Reported: 2008-03-03 22:36 EST by Lana Brindley
Modified: 2013-10-23 19:06 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-02 21:15:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Lana Brindley 2008-03-03 22:36:50 EST
Description of problem:
As per the "TBD" on the syslog tuning HOWTO:

"TBD - need to add in specifics"

I have written this so far:

<title><command>syslog</command> tuning tips</title>
    <command>syslog</command> forwards log messages from any number 
    of programs over a network. The less often this occurs, the larger 
    the pending transaction is likely to be. If the transaction very 
    is large it can cause an I/O spike. It is recommended to that the 
    interval is kept reasonably small to prevent this occurring.

Assigning to Clark as I don't know who wrote this section of the HOWTO.

Comment 1 Clark Williams 2008-03-11 15:27:39 EDT
I'm going to hand this off to Jon. The main thing I think that needs to happen
here is clarifying the case of syslog going to a local disk versus syslog going
across a network, and when in the later case, how to tune that traffic.

Comment 2 Lana Brindley 2008-03-25 20:22:27 EDT
26 March 2008 11am (AEST)

<Lana> jcm: ping
<jcm> Lana: pong
<Lana> jcm: any progress on https://bugzilla.redhat.com/show_bug.cgi?id=435834
<Lana> ?
<jcm> Lana: thanks for reminding me.
<Lana> np
<jcm> Lana: I'll add some doc hints to the BZ
<Lana> excellent
<Lana> eta?
<jcm> Lana: let's say before the end of the week, hopefully Thu.
<Lana> ok - great ... thanks jcm :)
<jcm> :)
Comment 3 Jon Masters 2008-04-01 14:07:02 EDT
The syslog system logging daemon is used to collate messages from programs
running on Linux systems. It also collates information reported by the Linux
kernel itself, broadcast via the klogd kernel logging daemon. On a typical Linux
system, syslog will send its logs to a local log file, but it can also
(optionally) be configured to log over a network, to a remote logging server.

To enable remote logging, the remote logging server must first be configured to
receive log messages. Red Hat's version of syslogd will use configuration
settings defined in /etc/sysconfig/syslog, as well as the syslog config file, in
order to determine whether or not to enable remote logging support. Add a "-r"
to the default SYSLOGD_OPTIONS variable in /etc/sysconfig/syslog. For example:

Comment 4 Jon Masters 2008-04-01 14:13:11 EDT
Once remote logging support has been enabled on the remote logging server, each
system that will send logs to it must be configured to send its syslog output to
the logging server, rather than writing those logs to the local filesystem. To
do this, edit the /etc/syslog.conf file on each client system. For each of the
various logging rules defined in that file, you can replace the local log file
with a remote logging server (@remote.logging.server). For example:

# Log all kernel messages to remote logging host.
kern.*     @my.remote.logging.server

will cause the client system to log all kernel messages generated to the defined
remote logging host.
Comment 5 Jon Masters 2008-04-01 14:22:02 EDT
It is possible to configure syslogd to log all locally generated system
messages, by replacing the "kern.*" in the previous example with a "*.*" wildcard:

# Log all messages to a remote logging server:
*.*     @my.remote.logging.server

Extreme care should be taken in so doing, however, because the quantity of
resulting network traffic generated could be quite considerable. Worse,
excessive network traffic generated via syslogging can introduce unacceptable
latencies into the system. The syslogging daemon communicates using the same
network connection used for applications traffic. Although the syslog daemon
uses a lightweight UDP protocol (and only opens a network socket when needed),
large quantities of logging traffic well adversely affect performance.

Note that the syslogging daemon does not include built-in rate limiting on its
generated network traffic. Therefore, Red Hat recommends that remote logging on
MRG systems be confined to only those messages that are required to be remotely
logged by your organization. For example, kernel warnings, authentication
requests, and the like. Other messages should be locally logged instead.
Comment 6 Lana Brindley 2008-04-02 21:15:32 EDT
Added info. Thanks Jon! LKB

Note You need to log in before you can comment on or make changes to this bug.