[afnog] syslog levels
Geert Jan de Groot
GeertJan.deGroot at xs4all.nl
Mon Aug 6 10:49:50 UTC 2007
On Mon, 6 Aug 2007 12:03:04 +0200 "grace Ingabire" wrote:
> I want to send log messages from my hosts to the central syslog server. I
> can log everything by using *.* @ xx.xx.xx.xx this works, but I think it
> will be full of information to be of any real use.
> I have seen that we have 7 levels but want to know the important one (with
> enough details). Attached is a description of those levels.
> Can any one advise me which one to use?
Especially when using different pieces of equipment, you'll find
that different suppliers use different levels for different things
and hence I find the facility level of limited use.
What you may want to try, is to apply filters that filter out the
"known" stuff, act on it as desired, but also look at the remains
that aren't cought by your filters. This is the interesting bit:
if you've never seen a box generate 'disk error' and it now does,
then that probably has a reason you want to know about.
In systems like this, I find it invaluable to also store, unfiltered,
the logging locally; sometimes a 'weird' message that leaks through
the system can be better understood if the other messages around
that time are also available to make a context.
If you want to filter using the facility system, then the default
settings of the old syslog.conf may be a good start.
You should also decide what you want to do with the logging.
Do you want to use it as alerting mechanism? Store to investigate
incidents afterwards? Early-warning for hardware events?
Analysis for trend monitoring or accounting?
Don't forget to synchonize (NTP) your systems so you can correlate
messages resulting from transactions between different systems
in your network.
Geert Jan
More information about the afnog
mailing list