Oliver-- Thats an interesting setup, a couple comments: * I'd recommend running TCP syslog (-ng) wherever you can... * If you setup an active/active syslog-ng server in your loadbalancer, my first reaction is that its probably not safe to write to the same file constantly through nfs... Another case scenario, which maybe large enough to consider-- What happens if there is network failure to the netapp from the syslog-ng servers. (ethernet cable on one of the servers gets yanked ; or ethernet card goes bad on one of the servers, etc...) - Are you going to configure your syslog-ng servers to sync(0) or maybe buffer some data in the event that this happens? - And when the server joins will it dump a large amount of logs to disk? -------- So with all this said, there are a couple other overall design approaches, which you may consider: 1) Setup a passive/active configuration in the load balancer (Use the load balancer to failover to a secondary logging host) - You may need to run a script on the load balancer and/or system(s) to check for nfs availablility. 2) Just have one central syslog-ng host, and run syslog-ng on the all your systems creating a large enough buffer so if the central server becomes unavailable, buffer. All those remote machines "should" log to local disk anyways. Your network equipment may need to still have a "primary" and "secondary" syslog host for the central server failing. ------- And finally the most straightforward approach-- 3) If absolute message integrity is required, setup an active / active (raid 1) approach-- Send messages to two servers at the same time logging to two different files, and make sure that no infrastructure on each machine is shared. On Mon, 31 Jan 2005 13:13:57 +0100, Oliver Tönsmann <oliver.toensmann@uni-bielefeld.de> wrote:

Hi,

we like to setup a central logging service for our distributed datacenter environment. Our idea is to use syslog_ng as an HA (high available) service running on two separate servers. The syslog clients (Solaris machines, network components, firewall appliances) should post the log data via UDP to a loadbalancer which will forward the log data to the two syslog_ng hosts.

Now we have the problem how to merge the log data from the two syslog_ng hosts to one location. Most of our data is stored on centralised storage subsystems and this storage is distributed via NFS (NetApp file server). We like to store the logdata also into nfs directories. Following figure describes a possible dataflow:

syslog clients --> LB -->

--> syslog_ng host1 --> syslog_ng host2

--> NFS:/.../log/$HOST/$FACILITY/$PRIORITY/one_logfile_for_both_syslog_hosts

Performance and nfs overhead is not a problem in our environment and nfs works very reliable due to our HA structures; logdata per day ~2-3 GB. Is there a possibilty to let syslog_ng hosts write the logdata simultaenously into the same logfile (NFS)? What are the disadvantages?

What are your experiences in using syslog_ng as an HA service? What would be a good practice to setup syslog_ng and to make it high available?

Ideas and helpful suggestions are welcome - Thanxx. Oliver

------------------------------------------------ Oliver Toensmann Universitaet Bielefeld - Hochschulrechenzentrum Email: Oliver.Toensmann@uni-bielefeld.de

_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html