[syslog-ng]log archiving
David Douthitt
ssrat@mailbag.com
Mon, 06 Aug 2001 14:16:10 -0400
Nate Campi wrote:
> I had been archiving logs for about 70 host using syslog-ng for the last
> year, and recently we discovered that our ssh gateway had been rooted. I
> archived the logs by host like this:
>
> destination hosts {
> file("/var/log/HOSTS/$HOST/$FACILITY/$YEAR/$MONTH/$DAY/$FACILITY$YEAR$MONTH$DAY"
> owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
>
> log { source(src); destination(hosts); };
>
> It's easy to use find and grep for finding pertinent log messages
> relating to events, but I found that since I was only logging into
> directories by host, I couldn't easily search ALL logs on a certain
> date. I could write up scripts to look for certain dates in filenames
> but that's not as fast and efficient as just seaching a directory
> with logs from all hosts on just that day.
Search all logs on a certain date:
grep "Searching..." /var/log/HOSTS/*/*/2001/08/04/*
...to search through logs for August 4, 2001.