Hi, Szeti, Balazs <szeti.balazs@hp.com> [20061106 18:18:46 +0100]:
Thanks for the aswers, but as I wrote before, I'm rather affraid of network connection error (I'll have failover servers in the center, but the network line is a SPOF). Unfortunately syslog-ng doesn't give any response if a destination is unreachable (e.g. the destination file is deleted!). It writes in the internal log if it couldn't connect to destination TCP port on startup, but no error log or negative response when trying to send the log over the "missing" destination (file or TCP). So I can't find out whether my logging was succesfull or not.
What I would do is get each of the end 'nodes' to log to some partition on the local machine and then rsync/scp/ftp/whatever any log files that have not been successfully transferred over every hour/day/week. If you want a *guarentee* system then you usually are comprimising on the 'liveness' of the data on the central machine. If you do not care about an hour lag (or even a day) then I would log locally and transfer the files using a cron job. If you need live data too then you could use a combination of both syslog over the network and this scheduled reliable uploading of your log data. To confirm the otherend got the logs intact you could just md5sum your log files at either end. Cheers Alex
Balazs
-----Original Message----- From: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Alexander Clouter Sent: Monday, November 06, 2006 5:46 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Alternate logging destination
Hi,
Szeti, Balazs <szeti.balazs@hp.com> [20061106 16:33:57 +0100]:
Hello!
I would like to design a centralized logging system with 50 edge nodes
and one center. It's quiet important to have all the logs even if the center is unreachable. Is there a way to configure syslog-ng to use an alternate
destination? For example if the centralized TCP destionation server is
down, the edge node syslog-ng may log in to a local file, so the logs can be reached later manually. When the center server in online again syslog-ng may log online again.
Any ideas?
Its all over UDP but I helped add multicast support to to do just this. The network duplicates the syslog messages to each 'core' syslog server so it does not matter if one f the boxes disappears.
I'm still pondering about sync'ing/diff'ing the differences[1] however for the effort you would need to put in for a heartbeat system, this solution wins...in my book anyway :)
Cheers
Alex
[1] I don't think its a big problem as you really only need to bear that
there could be differences and so should grep both log files for the time frame
Thanks in advance: Balazs _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html