Description of problem: As per the "TBD" on the syslog tuning HOWTO: "TBD - need to add in specifics" I have written this so far: <title><command>syslog</command> tuning tips</title> <para> <command>syslog</command> forwards log messages from any number of programs over a network. The less often this occurs, the larger the pending transaction is likely to be. If the transaction very is large it can cause an I/O spike. It is recommended to that the interval is kept reasonably small to prevent this occurring. </para> Assigning to Clark as I don't know who wrote this section of the HOWTO. LKB
I'm going to hand this off to Jon. The main thing I think that needs to happen here is clarifying the case of syslog going to a local disk versus syslog going across a network, and when in the later case, how to tune that traffic. Clark
26 March 2008 11am (AEST) <Lana> jcm: ping <jcm> Lana: pong <Lana> jcm: any progress on https://bugzilla.redhat.com/show_bug.cgi?id=435834 <Lana> ? <jcm> Lana: thanks for reminding me. <Lana> np <jcm> Lana: I'll add some doc hints to the BZ <Lana> excellent <Lana> eta? <jcm> Lana: let's say before the end of the week, hopefully Thu. <Lana> ok - great ... thanks jcm :) <jcm> :)
The syslog system logging daemon is used to collate messages from programs running on Linux systems. It also collates information reported by the Linux kernel itself, broadcast via the klogd kernel logging daemon. On a typical Linux system, syslog will send its logs to a local log file, but it can also (optionally) be configured to log over a network, to a remote logging server. To enable remote logging, the remote logging server must first be configured to receive log messages. Red Hat's version of syslogd will use configuration settings defined in /etc/sysconfig/syslog, as well as the syslog config file, in order to determine whether or not to enable remote logging support. Add a "-r" to the default SYSLOGD_OPTIONS variable in /etc/sysconfig/syslog. For example: SYSLOGD_OPTIONS="-m 0 -r"
Once remote logging support has been enabled on the remote logging server, each system that will send logs to it must be configured to send its syslog output to the logging server, rather than writing those logs to the local filesystem. To do this, edit the /etc/syslog.conf file on each client system. For each of the various logging rules defined in that file, you can replace the local log file with a remote logging server (@remote.logging.server). For example: # Log all kernel messages to remote logging host. kern.* @my.remote.logging.server will cause the client system to log all kernel messages generated to the defined remote logging host.
It is possible to configure syslogd to log all locally generated system messages, by replacing the "kern.*" in the previous example with a "*.*" wildcard: # Log all messages to a remote logging server: *.* @my.remote.logging.server Extreme care should be taken in so doing, however, because the quantity of resulting network traffic generated could be quite considerable. Worse, excessive network traffic generated via syslogging can introduce unacceptable latencies into the system. The syslogging daemon communicates using the same network connection used for applications traffic. Although the syslog daemon uses a lightweight UDP protocol (and only opens a network socket when needed), large quantities of logging traffic well adversely affect performance. Note that the syslogging daemon does not include built-in rate limiting on its generated network traffic. Therefore, Red Hat recommends that remote logging on MRG systems be confined to only those messages that are required to be remotely logged by your organization. For example, kernel warnings, authentication requests, and the like. Other messages should be locally logged instead.
Added info. Thanks Jon! LKB