[ale] [Fwd: Advertising on ale.org] - OT MS vs Apple vs Linux/UNIX

[Alex Carver]

On 2015-09-11 10:01, Chris Fowler wrote:
>> From: "Alex Carver" <agcarver+ale at acarver.net>
>> To: ale at ale.org
>> Sent: Friday, September 11, 2015 12:39:28 PM
>> Subject: Re: [ale] [Fwd: Advertising on ale.org] - OT MS vs Apple vs Linux/UNIX
> 
>> 1. Keep nothing locally (Storage=none) and run a second daemon
>> (rsyslogd, syslog-ng) alongside journald to process everything as I do
> 
> I think syslog-ng is one of the best logging solutions. On my device I've used rsylogd and the syslog in Busybox. For the past 5 years I've been using syslong-ng. 
> 
> Once I really learned how to configure it I modified my daemons that were logging to their own files to then log to syslog-ng. I then used regex in the config to duplicate those syslog messages to specific files for each daemon. This allows me to quickly see what is going on in the software while maintaining syslog compatibility. 
> 
> syslog-ng also routes inbound messages (from remote devices) by source ip. Those are stored in their own files as well. Software watches those messages and can look for 100s of regex matches on that stream. Any match creates a trouble ticket and deploys a technician to the location. 

Syslog-ng is great for exactly that reason: its filtering powers.  I've
got dozens of customized rules breaking down all the log data that flows
in from multiple systems and hardware devices that support remote
logging (like my modem).  I've got multitail running in an xterm on one
of my monitors reading all those logs constantly so I can always eyeball
anything going on.

I typically use rsyslogd on a source machine because I don't need the
massive rules engine, I just filter on a couple things (like daemon.*,
auth.*, kern.*) and send those to local or remote as needed.