Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Configuring a System
Using Distributed Systems Administration Utilities
Chapter 3 187
• Forwarded to remote systems. For more information, see the “Log
Consolidation Overview” on page 187.
See the syslogd (1M) manpage for additional information on configuring
message filters.
Log Consolidation Overview
Log forwarding is a feature of the standard UNIX syslogd. In addition
to logging messages to the local host's log files, syslogd can forward log
messages to one or more remote systems. These systems are referred to
as log sinks or log consolidation servers.
Log consolidation offers benefits such as the following:
• Easier log file analysis - The centralized log provides a single location
for the administrator to perform log file analysis. It offers single view
of events that impact multiple systems
• Increased security - A security breach might compromise the local
logs but not the centralized copy. The log consolidation system can be
hardened in ways that are likely to be inappropriate for log
forwarding clients.
• Simplified archiving of logs - It is sometimes simpler to archive a set
of centralized logs versus per-system logs.
There are several disadvantages of using the standard syslogd on a log
consolidation server:
• syslogd supports forwarding using UDP only. The Universal
Datagram Protocol (UDP) is a "connectionless" protocol and does not
offer flow control or guaranteed delivery of messages. As such, it is
possible for forwarded log messages to be lost.
• The filtering features of syslogd are quite simple: you can filter only
on a message’s facility and priority.
• A log consolidation system represents a single point of failure. If the
system is unavailable, the messages forwarded from clients are lost.
Note that the messages still exist on the individual client systems.
The are lost only from the consolidated log.