Syslog-ng & multiple "central" loghosts / HA environment
Hi everyone, have an interesting question. Let's say I have 2 hosts, both running syslog-ng. These hosts also do a few other tasks and we want them to be highly available. We also don't want them to miss any syslog messages they will be receiving from other hosts. The one thing I can see doing is on the hosts that it is possible, to have them send their information to both syslog hosts. However, I don't think all the equipment supports this. (For instance, I think some cisco equipment supports only 1 syslog host --- please correct me if I am wrong). The other option I thought of was using heartbeat like you would with LVS. That way, you can share an ip and point all of the equipment to that ip. However, what I am trying to figure out, especially with this secondary scenario, is how do you get syslog-ng to report to the other host (for the duplicate/backup) without having syslog-ng push the messages to both of the syslog hosts "regular" ip's and, in doing so, prevent log messages from duplicating exponentially? Does this make sense? Thanks, Travis
2004-02-20, p keltezéssel 05:46-kor Travis Kriza ezt írta:
Hi everyone, have an interesting question.
Let's say I have 2 hosts, both running syslog-ng. These hosts also do a few other tasks and we want them to be highly available. We also don't want them to miss any syslog messages they will be receiving from other hosts.
The one thing I can see doing is on the hosts that it is possible, to have them send their information to both syslog hosts. However, I don't think all the equipment supports this. (For instance, I think some cisco equipment supports only 1 syslog host --- please correct me if I am wrong).
The other option I thought of was using heartbeat like you would with LVS. That way, you can share an ip and point all of the equipment to that ip.
However, what I am trying to figure out, especially with this secondary scenario, is how do you get syslog-ng to report to the other host (for the duplicate/backup) without having syslog-ng push the messages to both of the syslog hosts "regular" ip's and, in doing so, prevent log messages from duplicating exponentially?
I think a third idea to consider is using multicasting, and have both syslog-ng box listen to the same multicast group and equipment to send its messages to the multicast IP. Although syslog-ng does not support this at the moment, I don't think it would be that difficult to implement. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
On Sun, Feb 22, 2004 at 12:04:59PM +0100, Balazs Scheidler wrote:
I think a third idea to consider is using multicasting, and have both syslog-ng box listen to the same multicast group and equipment to send its messages to the multicast IP.
Although syslog-ng does not support this at the moment, I don't think it would be that difficult to implement.
I don't know if any code could be reused, but the concepts in spread are somewhat in line with your thoughts here: http://www.spread.org/ -- Nate "C is quirky, flawed, and an enormous success." - Dennis M. Ritchie.
However, what I am trying to figure out, especially with this secondary scenario, is how do you get syslog-ng to report to the other host (for the duplicate/backup) without having syslog-ng push the messages to both of the syslog hosts "regular" ip's and, in doing so, prevent log messages from duplicating exponentially?
Configure Syslog-ng on each box to listen to more than one incomming port. One of the ports is the standard syslog UDP, the other is just one you pick. Configure the Syslog-ng processes to forward ONLY messages that arrive via the standard port, but deliver them using the second one. Tada.... No duplication. -Ben.
participants (4)
-
Balazs Scheidler
-
Ben Russo
-
Nate Campi
-
Travis Kriza