Use syslog in Ubuntu to record external device logs

Requirement: Use the syslog of Ubuntu8.04 server to record juniperisg1000 logs for three months. 1. Allow syslog To record External Log modifications/etc/default/syslogd, change SYSLOGD = "" To SYSLOGD = "-r" 2. Define External Log types and modify juniperisg1000 log definitions, define the generated log as local7 and

Requirements:

The juniper isg1000 log is recorded using the syslog of Ubuntu 8.04 server, and is retained for three months.

1. syslog is allowed to record external logs.

Modify/etc/default/syslogd and change SYSLOGD = "" To SYSLOGD = "-r"

2. Define External Log types

Modify the juniper isg1000 log definition, define the generated log as local7, and send the log to the Ubuntu server.

3. Define log files

Considering the large number of log files, you can create a new firewall directory under/var/log to save log files. Directory property 755.

Modify/etc/syslog. conf and add the following line to it:

Local7 .*

-/Var/log/firewall. log

The test records fail, but the following serious problems are found.

4. duplicate records

Syslog is not only recorded in firewall. log, but also in/var/log syslog and messages records. This is troublesome because of the large log size. Look at the man of syslog. conf. There is another one! Function. added the syslog and messages definitions in the syslog. conf file! Local7. *. It feels good that syslog no longer records device logs from the syslog and messages files.

5. File size issues

The maximum size of the syslog log file cannot exceed 2.5 GB. If the maximum size is exceeded, the log file will be stopped. The number of isg1000 logs reaches this level in about four hours. Log rotation must be set. Create a firewall log rotation control file in/etc/logrotate. d. The property is 644, as shown in the following figure in firewall:

/Var/log/firewall. log {

Start 1, 1000

Rotate 512

In maxage 100

Size 1500 M

Compress

Delaycompress

Missingok

Postrotate

/Usr/bin/killall-HUP syslogd

Endscript

}

The above content is briefly explained:

Because log files need to be saved for three months and an average of five log files are generated every day, you can set a maximum of 512 log files to be retained for 100 days.

The file suffix number starts from 1000, which is better than sorting from 1.

Rotate when the file size exceeds MB.

To reduce storage space usage, log files after rotation need to be compressed, but are not compressed immediately after rotation, but compressed at the next rotation to Prevent syslog data loss when writing data to the current file.

After the above settings, I think we can, who knows how to use it for a few days, and find that there are still problems.