Hello list, I am learning how to get a syslog server with syslog-ng. I started working on a IT department and I have more than 50 servers, we actually has rsyslog on the client side and syslog-ng on the syslog server. I want to change the client side rsyslog to configure it with syslog-ng. On the server side I read lot of documentation and I know how to configure it (source, destination and filter). I want to get this logs on the client side and send to the syslog server on a TCP+SSL: /var/log/auth.log /var/log/daemon.log /var/log/dmesg /var/log/messages /var/log/syslog I want to get on the server side something like this: /var/log/extern/host1/auth.log /var/log/extern/host1/ daemon.log /var/log/extern/host1/ dmesg /var/log/extern/host1/ messages /var/log/extern/host1/ syslog /var/log/extern/host2/auth.log /var/log/extern/host2/ daemon.log /var/log/extern/host2/ dmesg /var/log/extern/host2/ messages /var/log/extern/host2/ syslog ... /var/log/extern/hostn/auth.log /var/log/extern/hostn/ daemon.log /var/log/extern/hostn/ dmesg /var/log/extern/hostn/ messages /var/log/extern/hostn/ syslog On the past post you help me and I have how to get It on the server side for the TCP+SSL: source s_tcptls { tcp (ip("10.200.42.1") port(10514) tls( peer-verify(require-trusted) ca_dir("/etc/syslog-ng/certs/") key_file("/etc/syslog-ng/certs/server.key") cert_file("/etc/syslog-ng/certs/server.crt") ) ); }; I have some questions: 1. Must I uninstall rsyslog before install syslog-ng? 2. How can I configure the client side to send my logs to the server and to save on the local /var/log/? 3. Is there any client limit on syslog-ng? I will try to read and learn as much as I can, I will appreciate your help. Thanks for your job and best regards.
Josu Lazkano <josu.lazkano@barcelonamedia.org> writes:
I have some questions:
1. Must I uninstall rsyslog before install syslog-ng?
Uninstall, no. But the two should not run side by side (port conflicts, etc - you can run both, technically, but it's not really useful, imo).
2. How can I configure the client side to send my logs to the server and to save on the local /var/log/?
If you want to send pre-existing files, then the easiest route (since you have a small number of files) is to add a source for each, and send them over to the remote server (which also has a source for each). Though, this ain't pretty. You could collapse this into a single pair, but that involves rewriting the messages a bit, so that the server will know where to place them. However, if you want to accept logs on client-side, and split them to files on the server side, that's a lot easier! You just have something like this on the clients: source s_local { internal(); system(); }; destination d_net { tcp(...); }; log ( source(s_local); destination(d_net); }; And on the server, you use the source you wrote above, and filter the messages as you would do on the client side. However, when you write the destinations, instead of writing something like this: destination d_auth { file("/var/log/auth.log"); }; You write something like this: destination d_auth { file("/var/log/extern/${HOST}/auth.log"); };
3. Is there any client limit on syslog-ng?
Nope, here isn't. Apart from OS limits, that is. Whatever those may be - but chances are, you're not gonna hit them anytime soon. ;) Hope these answers make sense! -- |8]
On Jun 22, 2011, at 2:22 PM, Gergely Nagy wrote:
Josu Lazkano <josu.lazkano@barcelonamedia.org> writes:
3. Is there any client limit on syslog-ng?
Nope, here isn't. Apart from OS limits, that is. Whatever those may be - but chances are, you're not gonna hit them anytime soon. ;)
Hope these answers make sense!
Isn't the default limit on concurrent incoming TCP connections 100? I seem to recall hitting that when swapping out syslogd for syslog-ng on a central log server last year. Cheers, Bill -- Bill Anderson, RHCE Linux Systems Engineer bill.anderson@bodybuilding.com
Bill Anderson <Bill.Anderson@bodybuilding.com> writes:
On Jun 22, 2011, at 2:22 PM, Gergely Nagy wrote:
Josu Lazkano <josu.lazkano@barcelonamedia.org> writes:
3. Is there any client limit on syslog-ng?
Nope, here isn't. Apart from OS limits, that is. Whatever those may be - but chances are, you're not gonna hit them anytime soon. ;)
Hope these answers make sense!
Isn't the default limit on concurrent incoming TCP connections 100? I seem to recall hitting that when swapping out syslogd for syslog-ng on a central log server last year.
There's a max-connections() source option, which defaults to 10, yes. But that can be increased, and then the limit is pretty much the kernel. (Just tried with 512 concurrent connections, with max-connections(1000), worked without a hitch). -- |8]
On Wed, 2011-06-29 at 22:51 +0200, Gergely Nagy wrote:
Bill Anderson <Bill.Anderson@bodybuilding.com> writes:
On Jun 22, 2011, at 2:22 PM, Gergely Nagy wrote:
Josu Lazkano <josu.lazkano@barcelonamedia.org> writes:
3. Is there any client limit on syslog-ng?
Nope, here isn't. Apart from OS limits, that is. Whatever those may be - but chances are, you're not gonna hit them anytime soon. ;)
Hope these answers make sense!
Isn't the default limit on concurrent incoming TCP connections 100? I seem to recall hitting that when swapping out syslogd for syslog-ng on a central log server last year.
There's a max-connections() source option, which defaults to 10, yes. But that can be increased, and then the limit is pretty much the kernel. (Just tried with 512 concurrent connections, with max-connections(1000), worked without a hitch).
the current fd limit might be a blockage after that, but that can also be tuned either with ulimit, or the --fd-limit (IIRC, but see --help-all) command line option. -- Bazsi
participants (4)
-
Balazs Scheidler
-
Bill Anderson
-
Gergely Nagy
-
Josu Lazkano