Red Hat Bugzilla – Bug 435834
More information required on syslog tuning
Last modified: 2013-10-23 19:06:58 EDT
Description of problem:
As per the "TBD" on the syslog tuning HOWTO:
"TBD - need to add in specifics"
I have written this so far:
<title><command>syslog</command> tuning tips</title>
<command>syslog</command> forwards log messages from any number
of programs over a network. The less often this occurs, the larger
the pending transaction is likely to be. If the transaction very
is large it can cause an I/O spike. It is recommended to that the
interval is kept reasonably small to prevent this occurring.
Assigning to Clark as I don't know who wrote this section of the HOWTO.
I'm going to hand this off to Jon. The main thing I think that needs to happen
here is clarifying the case of syslog going to a local disk versus syslog going
across a network, and when in the later case, how to tune that traffic.
26 March 2008 11am (AEST)
<Lana> jcm: ping
<jcm> Lana: pong
<Lana> jcm: any progress on https://bugzilla.redhat.com/show_bug.cgi?id=435834
<jcm> Lana: thanks for reminding me.
<jcm> Lana: I'll add some doc hints to the BZ
<jcm> Lana: let's say before the end of the week, hopefully Thu.
<Lana> ok - great ... thanks jcm :)
The syslog system logging daemon is used to collate messages from programs
running on Linux systems. It also collates information reported by the Linux
kernel itself, broadcast via the klogd kernel logging daemon. On a typical Linux
system, syslog will send its logs to a local log file, but it can also
(optionally) be configured to log over a network, to a remote logging server.
To enable remote logging, the remote logging server must first be configured to
receive log messages. Red Hat's version of syslogd will use configuration
settings defined in /etc/sysconfig/syslog, as well as the syslog config file, in
order to determine whether or not to enable remote logging support. Add a "-r"
to the default SYSLOGD_OPTIONS variable in /etc/sysconfig/syslog. For example:
SYSLOGD_OPTIONS="-m 0 -r"
Once remote logging support has been enabled on the remote logging server, each
system that will send logs to it must be configured to send its syslog output to
the logging server, rather than writing those logs to the local filesystem. To
do this, edit the /etc/syslog.conf file on each client system. For each of the
various logging rules defined in that file, you can replace the local log file
with a remote logging server (@remote.logging.server). For example:
# Log all kernel messages to remote logging host.
will cause the client system to log all kernel messages generated to the defined
remote logging host.
It is possible to configure syslogd to log all locally generated system
messages, by replacing the "kern.*" in the previous example with a "*.*" wildcard:
# Log all messages to a remote logging server:
Extreme care should be taken in so doing, however, because the quantity of
resulting network traffic generated could be quite considerable. Worse,
excessive network traffic generated via syslogging can introduce unacceptable
latencies into the system. The syslogging daemon communicates using the same
network connection used for applications traffic. Although the syslog daemon
uses a lightweight UDP protocol (and only opens a network socket when needed),
large quantities of logging traffic well adversely affect performance.
Note that the syslogging daemon does not include built-in rate limiting on its
generated network traffic. Therefore, Red Hat recommends that remote logging on
MRG systems be confined to only those messages that are required to be remotely
logged by your organization. For example, kernel warnings, authentication
requests, and the like. Other messages should be locally logged instead.
Added info. Thanks Jon! LKB