Craig, I'm going to second this, even though I don't work at an ISP (however, I do work with large amounts of syslog data).
If you want to keep things organized, it's better to keep the syslog files organized by service. When you've got data coming from a large amount of servers, you want to: 1. Separate by service (ftp, ssh, mail, auth, etc.). 2. Use any external processing systems sparingly, and test them heavily for performance. 3. Have your scripts separate the machines, if needed, by machine name. Have them process syslog data after it's received. I'm using that setup and approach to handle data from approx. 20 commercial UNIX machines and various network devices at one location, and 2 OpenBSD 3.8 boxes and a Windows Server 2003 machine at another. It works very well. Take care, Mitch -----Original Message----- From: [EMAIL PROTECTED] on behalf of Craig Skinner Sent: Fri 2/10/2006 4:45 PM To: [email protected] Subject: Re: syslogd question On Fri, Feb 10, 2006 at 10:46:02AM -0600, [EMAIL PROTECTED] wrote: > I am setting up an openbsd box to be the catcher for a couple of AIX boxes to pitch their log files to. Using the standard syslogd, I am wondering if I can set it up so that each of the AIX boxes gets its own log file on the openbsd box. Something like /var/log/aix1.log and /var/log/aix2.log. > > Or, would it just be easier to throw everything into one file and user perl to split out the two logs? > > I did a little googling around and found one page that looked like exactly my answer but it was 404 and not in the google cache. > > I work for an ISP and I think that the best way to handle this is not to seperate by machine, but by service. ie: we have a farm of a dozen webservers, another dozen smtp servers, a bunch of imap servers, dns,...... When a customer needs help, say logging into on of the ftp servers, I can tail the auth logs & grep for their username. They could hit anyone of the boxes at a given time, so this way is the only practical solution. Also, if a dns zone is not being propagated, I can grep for the zone and see what all of the servers are doing, with relevant time stamps. If you need per machine, then just refine your grep. Craig.
