
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

I see, thanks!</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

You mentioned that you want to send to Splunk. <span style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); display: inline !important;">

I don't think writing the same file on a network storage is the way to go. </span>Have you read the blogpost about sending to Splunk with syslog-ng through http event collectors (HEC) [1]? I believe, you can send to any number of HEC instances from any number

 of syslog-ng servers.<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Nonetheless, I am not an expert in Splunk, but they have a Slack channel [2], where I have heard there are syslog-ng related discussions. It might be worth a try.</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Cheers,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Attila</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

[1] <a href="https://www.splunk.com/en_us/blog/tips-and-tricks/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html" id="LPlnk">https://www.splunk.com/en_us/blog/tips-and-tricks/syslog-ng-and-hec-scalable-aggregated-data-collection-in-splunk.html</a></div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

[2] <a href="https://docs.splunk.com/Documentation/Community/1.0/community/Chat" id="LPlnk">https://docs.splunk.com/Documentation/Community/1.0/community/Chat</a></div>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview _EReadonly_1"></div>

<br>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_1 _EReadonly_1"></div>

<br>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_2 _EReadonly_1"></div>

<br>

<div class="_Entity _EType_OWALinkPreview _EId_OWALinkPreview_3 _EReadonly_1"></div>

<br>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <mark.faine@nasa.gov><br>

<b>Sent:</b> Friday, January 15, 2021 4:51 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> Re: [syslog-ng] [EXTERNAL] Re: Failover/Hi Availability</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif}

a:link, span.x_MsoHyperlink

        {color:#0563C1;

        text-decoration:underline}

a:visited, span.x_MsoHyperlinkFollowed

        {color:#954F72;

        text-decoration:underline}

p

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif}

p.x_msonormal0, li.x_msonormal0, div.x_msonormal0

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Times New Roman",serif}

p.x_xmsonormal, li.x_xmsonormal, div.x_xmsonormal

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:11.0pt;

        font-family:"Calibri",sans-serif}

p.x_xmsochpdefault, li.x_xmsochpdefault, div.x_xmsochpdefault

        {margin:0in;

        margin-bottom:.0001pt;

        font-size:12.0pt;

        font-family:"Calibri",sans-serif}

span.x_xmsohyperlink

        {color:#0563C1;

        text-decoration:underline}

span.x_xmsohyperlinkfollowed

        {color:#954F72;

        text-decoration:underline}

span.x_xemailstyle17

        {font-family:"Calibri",sans-serif;

        color:windowtext}

span.x_EmailStyle24

        {font-family:"Calibri",sans-serif;

        color:#1F497D}

span.x_SpellE

        {}

.x_MsoChpDefault

        {font-size:10.0pt}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

-->

</style>

<div lang="EN-US" link="#0563C1" vlink="#954F72" style="">

<div style="background-color:#FFEB9C; width:100%; border-style:solid; border-color:#9C6500; border-width:1pt; padding:2pt; font-size:10pt; line-height:12pt; font-family:'Calibri'; color:Black; text-align:left">

<span style="color:#9C6500; font-weight:bold">CAUTION:</span> This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</div>

<br>

<div>

<div class="x_WordSection1">

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">For now it's just an idea for an improved

<span class="x_SpellE">syslog-ng</span> infrastructure to support Splunk.</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Not on the same machine but multiple, at least two servers, each with their own

<span class="x_SpellE">syslog-ng</span> instance, receiving data from dozens of hosts (the same hosts) and yes writing to a shared NFS file system.</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">The only substantial problem I have left in the (as of now) hypothetical scenario is that I need them all to write to the same location so that if one

 goes down we don't have to do any manual switching of any sort and none of the data fails to be indexed by Splunk.</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Thanks,</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D">Mark</span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>

<p class="x_MsoNormal"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#1F497D"> </span></p>

<div>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> syslog-ng <syslog-ng-bounces@lists.balabit.hu>

<b>On Behalf Of </b>Attila Szakacs (aszakacs)<br>

<b>Sent:</b> Friday, January 15, 2021 03:07<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu><br>

<b>Subject:</b> [EXTERNAL] Re: [syslog-ng] Failover/Hi Availability</span></p>

</div>

</div>

<p class="x_MsoNormal"> </p>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Hi Mark,</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Please elaborate a bit more about your architecture. Relevant config parts are also appreciated.</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Are there two syslog-ng servers running on the same machine?</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Or is it just one syslog-ng instance with two different log sources (on different ports for example), and there is a host which sends to both log sources?</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Maybe there are 2 different machines running their own syslog-ng, but using a network shared file system?</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Thanks!</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Cheers,</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black">Attila</span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:black"> </span></p>

</div>

<div class="x_MsoNormal" align="center" style="text-align:center"><span style="">

<hr size="3" width="98%" align="center">

</span></div>

<div id="x_divRplyFwdMsg">

<p class="x_MsoNormal" style=""><b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:black">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:black"> syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu">syslog-ng-bounces@lists.balabit.hu</a>>

 on behalf of Faine, Mark R. (MSFC-IS40)[NICS] <<a href="mailto:mark.faine@nasa.gov">mark.faine@nasa.gov</a>><br>

<b>Sent:</b> Thursday, January 14, 2021 9:21 PM<br>

<b>To:</b> Syslog-ng users' and developers' mailing list <<a href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>><br>

<b>Subject:</b> [syslog-ng] Failover/Hi Availability</span><span style=""> </span>

</p>

<div>

<p class="x_MsoNormal"><span style=""> </span></p>

</div>

</div>

<div>

<div style="border:solid #9C6500 1.0pt; padding:2.0pt 2.0pt 2.0pt 2.0pt">

<p class="x_MsoNormal" style="line-height:12.0pt; background:#FFEB9C"><b><span style="font-size:10.0pt; font-family:"Calibri",sans-serif; color:#9C6500">CAUTION:</span></b><span style="font-size:10.0pt; font-family:"Calibri",sans-serif; color:black"> This email

 originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.</span></p>

</div>

<p class="x_MsoNormal"><span style=""> </span></p>

<div>

<div>

<p class="x_xmsonormal">If I have two Syslog-ng servers receiving logs from the same source and writing to the exact same file system destination,  is there a way to do this without running into issues with the two instances clobbering the files or file locking

 issues?</p>

<p class="x_xmsonormal"> </p>

<p class="x_xmsonormal"> </p>

<p class="x_xmsonormal">Thanks,</p>

<p class="x_xmsonormal">-Mark</p>

<p class="x_xmsonormal"> </p>

<p class="x_xmsonormal"> </p>

</div>

</div>

</div>

</div>

</div>

</div>

</body>

</html>