[TriLUG] To syslog or not syslog

skippy1 at hickorytech.net skippy1 at hickorytech.net
Sat Jan 1 15:34:08 EST 2005


> Many programs (such as BIND) have the option of logging information
> either by syslog, or by bypassing syslog and writing directly to a file.
> What are the advantages of each approach? As I see it, logging through
> syslog has the following advantages:
>
> A) Syslog (or similar utility) provides a central point of a control. B)
> Logging through syslog allows one to take specific action at given
> thresholds or urgency (IE emailing admin at foo.com on receipt of an
> alert or emerg).
> C) One can send logs to a remote server.
>
> Logging directly to a file has the following advantages:
>
> A) Simplified configuration
> B) More specific log files without external configuration (IE using
> syslog-ng's match to separate iptables logs from web server logs)

Everyone else has covered the advantages of syslog's remote logging so
I'll give it a miss except to note that syslog's remote logging
capabilities are traditionally UDP based which makes it trivially
spoofable.  Depending on the situation that may or may not be a
consideration but you should keep it in mind.

As for local syslog, its real advantage to me is in log rolling.  If your
log roll scheme creates new files at each roll any program that has the
log(s) open needs to be notified, usually by a restart or SIGHUP.  Some
programs that do their own logging will open the log on startup and not
close it to save on the fopen overhead.  If you're logging via syslog, it
isn't an issue.

Skippy
skippy at skippylair.net





More information about the TriLUG mailing list