Hi, On Thu, Jan 13, 2011 at 7:32 PM, <maillists0@gmail.com> wrote:
I need to tail a bunch of application logs that aren't in syslog format and send them to a remote server. I've configured this:
source s_tail { file(/var/log/chaotic_debug_log follow_freq(1) flags(no-parse)); }; destination remote { tcp("my_syslogserver.com" port(514)); }; log { source(s_tail); destination(remote); };
syslog-ng starts successfully and doesn't complain, but nothing happens... no logs appear remotely. I did a tcpdump on the syslog server and nothing is showing up from this box, so I did an strace on syslog-ng and didn't see the log files being opened. Running lsof on those files didn't show anything but the writing program. syslog-ng just isn't reading the files. Is something wrong with my config? How might I troubleshoot this? The syslog-ng version is 2.1.4 on CentOS 5.4.
Could you post your configfile? In theory the above should work. BTW using the latest syslog-ng versions you could also use custom parsers for reading logfiles.
Also, to have syslog tail multiple files, do I just add multiple entries, like this?
source s_tail { file(/var/log/chaotic_debug_log1 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log2 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log3 follow_freq(1) flags(no-parse)); };
This won't work because you're redefining the same source so the last definition wins. Either group all file() statements into a single source definition or create a unique source for every files. I prefer the former (otherwise a lot of extra log sections has to get created), so the source definition would look like source s_tailedfiles { file("myfile1" follow_freq(1)); file("myfile2" follow_freq(1)); ... }; Regards, Sandor