# which log manager?

## t3rm1nal

Im curious as to what people recommed for log managers... such as the logsentry package or logrotate. There doesnt seem to be much documentation on either, so im open to alternatives, what do you use / prefer based on experience.

----------

## butt3r

Hi,

I just did some research myself to set up log management for my server.

First you have to see what log manager work with what logger.

I was using metlog which rotates logs automatically,but I wanted to use the logwatch package,which does not work with metalog,so I went with syslog-ng.

logsentry seemed to work ok with metalog.

My setup does the following:

syslog-ng for logging

logrotate to rotate the logs every day and keep 2 months worth of compressed logs

logsentry to parse the logs daily and email me a report

logwatch to also parse the logs and send me a report(also reports disk useage)

tenchi to monitor the logs and email me immediately if certain events occur.

also if your running apache2, apache2 writes its own logs and you need to either set up logrotate to stop the server rotate the log and restart the server,

You could also use a rotater for apache2's logs such as cronolog wich will rotate the logs without stopping the server,and also supply a symlink to the current log so your log parser can check it.

I went the cronolog route.

I am sure there are alot of other options out there.This was the results of my research.Hope it helps   :Very Happy: 

----------

## nobspangle

for apache I use a bash script which stops the server, removes the logs that are one year old and then restarts the server. That way I always have one year of logs to look at.

----------

## adsmith

I think sysklogd is too primitive and metalog tries to think too much.  I use syslong-ng with logrotate.

----------

## t3rm1nal

adsmith -

im running syslog-ng and was leaning towards either logrotate or the logsentry package -- the security guide recommends the logsentry package b/c it has logcheck and logtail - which are run from cron and check logs against signatures for adversarial activity:

so it sounds like logsentry is more of a log analysis prog

and logrotate is more of an log archival prog

is this about right?

----------

## adsmith

yup.

I used to run logwatch a long time ago, but it just filled in my inbox.  I guess I skim through my logs pretty frequently anyway.

[edit] or, I should say, I often have them tail-ing somewhere, so I see them live

----------

## dashnu

does anyone have a config for logrotate that will work with the gentoo config for syslog-ng.. I use the config from the gentoo documentation. 

*edit nm pretty easy config.

----------

## vladgrigorescu

 *butt3r wrote:*   

> tenchi to monitor the logs and email me immediately if certain events occur.

 

In case other people are having a hard time finding this too, that's because it should be "tenshi".

----------

