Linux does not include systems to locate and analyze critical events in a way that is easy to consume. Open source...
log management tools can help gather data and give you detailed insight into system operations.
If you run Linux, you're probably familiar with rsyslog and systemd-journald. However, if you oversee dozens of Linux servers and cloud instances, it's not realistic to dig into each individual log file. Graylog and Logcheck are two viable open source alternatives.
When you search for open source log management software, you will see that Graylog is one of the most adopted products. The program can be easily installed on common Linux distributions, including CentOS and Ubuntu, and is available as an appliance.
Starting up open source log management software
Graylog receives high scores because it is a complete application that connects to a broad spectrum of log information generation applications. In addition to Linux, it supports Windows and device logging.
Graylog is available on port 9000 of the Graylog server. To connect, open a browser on the server, go to http://localhost:9000, and enter the admin username and password you set up. This connects you to the web management interface.
At first, the web interface lists the four steps for configuration. It takes several steps to set up your log source to forward data to Graylog, but there is plenty of documentation to help you in the Graylog marketplace.
Once online, you can check messages from connected log sources. This functionality helps you monitor all the sources with one interface. For more high-level alerts, you must create an additional dashboard and specify what qualifies as a critical event.
Logcheck is a Linux-based software that summarizes log files and sends a digest email to the administrative account noted in the Logcheck configuration file. This can be a local Linux user, but it should be an external user account.
To determine a Logcheck configuration, choose from three different open source log management scenarios: workstation, server or paranoid. Server is the default option, and it monitors overall log activity. The paranoid option isn't suitable for most environments because it provides a lot of information on every log. The workstation option searches for information, such as security information, logon failures and user access.
Open source log management products are an excellent way to augment Linux data collection capabilities for extensive environments, and they offer various functionalities. Logcheck provides a simple application that sends alerts for daily activity and abnormalities. Graylog enables you to centralize management for anything that generates log files in your environment. Both of these use cases can help automate log management and help you work smarter.