Splitting routerlogs from servers
Hiya! I've got a setup like this with many log hosts (~200, raising) and want to split the server logfiles from those of our routers. i've got a setup like this: --- options { sync (0); log_fifo_size (1000); use_fqdn (yes); chain_hostnames(no); stats (86400); }; source src { unix-stream("/dev/log"); internal(); }; source net { udp(ip(0.0.0.0) port(514)); }; source srck { pipe("/proc/kmsg"); }; destination messages { file("/var/log/local/$YEAR-$MONTH-$DAY" create_dirs(yes)); }; destination router { file("/var/log/router/$HOST/$YEAR-$MONTH-$DAY" create_dirs(yes)); }; destination server { file("/var/log/server/$HOST/$YEAR-$MONTH-$DAY" create_dirs(yes)); }; destination unknown { file("/var/log/unknown/$HOST/$YEAR-$MONTH-$DAY" create_dirs(yes)); }; filter f_router { facility(local1,local2,local3,local4,local5,local6,local7); }; filter f_server { host("server1|server2|serverx|..."); }; log { source(src); source(srck); destination(messages); flags(final); }; log { source(net); filter(f_server); destination(server); flags(final); }; log { source(net); filter(f_router); destination(router); }; log { source(net); destination(unknown); flags(fallback); }; --- This is a very ugly setup because i always have to add new servers to the f_server filter, otherwise it would get logged in the router/unknown dir Is there a better way to solve this with one ip address or should i add a secondary interface to the server and let the routers log to the second ip? mfg -- Renner Michael Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699
On Thu, Feb 28, 2002 at 05:18:43PM +0100, Michael Renner wrote:
Hiya!
I've got a setup like this with many log hosts (~200, raising) and want to split the server logfiles from those of our routers. i've got a setup like this: []
This is a very ugly setup because i always have to add new servers to the f_server filter, otherwise it would get logged in the router/unknown dir
Is there a better way to solve this with one ip address or should i add a secondary interface to the server and let the routers log to the second ip?
what about logging to a different port? -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
At 17:30 28.02.2002 +0100, you wrote:
On Thu, Feb 28, 2002 at 05:18:43PM +0100, Michael Renner wrote:
Hiya!
I've got a setup like this with many log hosts (~200, raising) and want to split the server logfiles from those of our routers. i've got a setup like this: []
This is a very ugly setup because i always have to add new servers to the f_server filter, otherwise it would get logged in the router/unknown dir
Is there a better way to solve this with one ip address or should i add a secondary interface to the server and let the routers log to the second ip?
what about logging to a different port?
Hi Bazsi, Hi Gregor! Thanks for your fast replies. Logging to an alternate port would be a solution for the servers running syslog-ng, but the default syslogd shipped with most of the distributions doesn't seem to support this (at least the man-pages don't mention anything about it). Additionally most of the routers out there in the big, wild internet won't let you change the destination port for the syslog stuff. I think i'll just add another IP to the server and let the routers log to it. Btw. the config parser drops hosts right before/after a CR/LF if you split the host() filter accross several lines, like host(server1|server2| server3|server4 |server5); Is this intentionally? I couldn't track the problem further down because the yacc debugger (syslog-ng -[dv|dd]) seems to have vanished from 1.5.*. mfg -- Renner Michael Junior System Engineer Inode Telekommunikationsdienstleistungs GmbH - http://www.inode.at support@inode.at, Tel.: 05 9999-0, Fax.: 05 9999-2699
Michael Renner on Thu, Feb 28, 2002 at 05:18:43PM +0100: Hi,
This is a very ugly setup because i always have to add new servers to the f_server filter, otherwise it would get logged in the router/unknown dir
Is there a better way to solve this with one ip address or should i add a secondary interface to the server and let the routers log to the second ip?
if you have the option to add an IP-alias to the existing interface, I guess this would be the best way to go. Otherwise, if you run syslog-ng on your servers as well, you could make them log to another port. In both cases, you would define two different network sources. Regards, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B
participants (3)
-
Balazs Scheidler
-
Gregor Binder
-
Michael Renner