[TriLUG] To syslog or not syslog

Steve Litt slitt at troubleshooters.com
Sat Jan 1 12:20:44 EST 2005


On Saturday 01 January 2005 02:39 am, Master Shake wrote:
> Fellow trilugers,
> Many programs (such as BIND) have the option of logging information
> either by syslog, or by bypassing syslog and writing directly to a
> file. What are the advantages of each approach? As I see it, logging
> through syslog has the following advantages:
>
> A) Syslog (or similar utility) provides a central point of a control.
> B) Logging through syslog allows one to take specific action at given
> thresholds or urgency (IE emailing admin at foo.com on receipt of an
> alert or emerg).
> C) One can send logs to a remote server.
>
> Logging directly to a file has the following advantages:
>
> A) Simplified configuration
> B) More specific log files without external configuration (IE using
> syslog-ng's match to separate iptables logs from web server logs)
>
> Thats my quick and dirty two cents. What are everyone experiences with
> the issue?


I'd never thought about this before, but let me posit an answer from the 
perspective of a troubleshooting process trainer...

From a troubleshooting standpoint, a major benefit of a log is the ability to 
view a symptom in its total environment. This is ESPECIALLY true on symptoms 
that appear intermittent, or even appear as a single event. You know, the 
toughest problems. Using log(s), you can answer questions like:

What else happened around that time?
What events preceded the symptom?
What events followed the symptom?
What is the exact description of the symptom?
What is common about each occurrence of the symptom?

It would seem to me that this kind of exploration would be easiest with a 
central log. Of course, there would be a lot of extraneous (to the symptom) 
information in a central log, but that's what grep is for.

DISCLAIMER: This email is based on 2 minutes of thought. I reserve the right 
to change my mind.

SteveT



More information about the TriLUG mailing list