Excellent. Thanks for the info. -----הודעה מקורית----- מאת: syslog-ng-bounces@lists.balabit.hu [mailto:syslog-ng-bounces@lists.balabit.hu] בשם Balazs Scheidler נשלח: ג 02 ספטמבר 2008 17:54 אל: Syslog-ng users' and developers' mailing list נושא: Re: [syslog-ng] apache logs over syslog-ng sychronized On Tue, 2008-09-02 at 17:39 +0300, Eli Shemer wrote:
Hey there,
I would like to know if this configuration sounds viable to you.
Right now it's not really operational performance wise.
What I'm basically trying to do is to have my syslog server completely synchronized to the apache access logs of my other servers.
On a client I have this configured:
source s_apachelogs { file("/etc/apache2/logs/test/2008-09-02-test.log"); };
destination df_apachelogs { tcp("192.168.200.4" port(1999)); };
log { source(s_apachelogs); destination(df_apachelogs); };
and on the server:
source s_apachelogs { tcp(ip(192.168.200.4) port(1999)); };
destination df_apachelogs { file("/var/log/apachelogs.log"); };
log {
source(s_apachelogs);
destination(df_apachelogs);
};
<
This is just a sample case. Later on I would like to have my server keep an /var/log/apachelogs/ directory completely identical to the logs of the other servers.
For some reason I don’t see any traffic passed over the line unless I run a /etc/init.d/syslog-ng reload which is really bizzar.
Well, I don't know which syslog-ng version you are running, latest 2.0.x or 2.1.x should be ok, but you should specify follow-freq(XX) in your config to tell syslog-ng that you want to follow the specified file and not read it from the beginning. Performance wise you will probably need to tune log-fetch-limit() and maybe log-fifo-size(), but see the recent thread titled "lost messages with follow_freq()?" on this mailing list. -- Bazsi ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html