RE: centralised log server

["Desai, Ashish" <Ashish.Desai () fmr com>]

We just copy them to a central server (after compressing them) via SSH. I
don't know how we
deal with the NT stuff as that depends on the applications.
For NT its very hard to do central collections of the NT events and the
event
codes are stored in the program DLL's. However there are tools that can
take NT events and convert them and forward them to a syslog server.

The trick is to properly define a directory structure that can scale up.
We normally make a subdirectory for every virtual web server or services and
then in there
store files is named as YYYYMMDD.gz. This allows us to write shell scripts
that can parse
thru different logs files based on time.
Remember not to store more than a 1000 files per directory as you get
performance issues in
directory look ups.

Ashish

> -----Original Message-----
> From: Shaun Moran [SMTP:Shaun () TheMorans Com]
> Sent: Saturday, December 04, 1999 10:51 AM
> To:   firewall-wizards () nfr net
> Subject:      centralised log server
>
> Hi,
>
> What products are people using to keep there log files central ???
>
> Scenario is - multiple products that keep log files locally. Some products
> keep multiple files in a single directory (eg: access.log, audit.log, etc
> etc).
>
> What I want is a separate server that houses all these log files and a
> SECURE way to get these files to this server.
>
> An the bad news is the there are Windows NT as well as Unix systems
> involved.
>
> I was hoping that there is some nice commercial log server product that
> has
> agents (NT and/or UNIX) on the remote application server that monitor the
> log log files for changes and transmits them to the centralised log server
> with some form of secure protocol.
>
> Does anybody know of such a product - what are people doing to stop having
> 50 separate boxes with logs ???
>
> Thanks - Shaun