Configuration for a centralized syslog-ng server
Hi, I'm using syslog-ng OSE 3.3.8 on a FreeBSD 9.1 amd64 box on a centralized server (DELL R610, 32GB ram, ZFS with compressed filesystem) and 150 servers with syslog-ng that logs locally and send remotely their logs stream to the centralized syslog-ng. Sometime I see packets dropped, so I think I'm missing something on its configuration. That's what I'm using: - generic server: @version: 3.3 options { perm(0644); dir_perm(0750); create_dirs(yes); group (logs); dir_group (logs); log_fifo_size(10000); use_fqdn(yes); keep_hostname(yes); chain_hostnames(no); stats_freq(3600); }; source s_local { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); internal(); file("/dev/klog"); }; destination d_local { file("/var/log/syslog-ng/$YEAR/$MONTH/$DAY/$FACILITY.log"); }; destination d_remote { tcp("10.0.0.9" port(514)); }; log { source(s_local); destination(d_local); destination(d_remote); }; - centralized log server: @version: 3.3 options { perm(0644); dir_perm(0755); create_dirs(yes); group (logs); dir_group (logs); use_fqdn(yes); keep_hostname(yes); chain_hostnames(no); stats_freq(120); log_fifo_size(10000); frac_digits(3); }; source s_local { unix-dgram("/var/run/log" max_connections(20)); unix-dgram("/var/run/logpriv" perm(0600) max_connections(20)); internal(); file("/dev/klog"); }; filter f_localhost { netmask( "127.0.0.1" ); }; filter f_network6 { netmask( "172.16.6.0/255.255.255.0" ); }; destination d_local { file("/tank/syslog/custom/localhost/$YEAR/$MONTH/$DAY/$FACILITY.log"); }; source s_network { udp(ip("10.0.0.9") so_rcvbuf(16777216)); tcp(ip("10.0.0.9") port(514) log_fetch_limit(100) max_connections(200) log_iw_size(20000) so_rcvbuf(16777216)); }; filter f_www_host { host("www1.domain.lan") or host("www2.domain.lan") or host("www3.domain.lan"); }; [...] filter f_www_fac { facility(local6); }; [...] destination d_www { file("/tank/syslog-ng/custom/www/$YEAR/$MONTH/$DAY/$FACILITY.log"); }; [...] log { source(s_network); filter(f_www_host); filter(f_www_fac); destination(d_www); }; Thanks, -- d.
How do you know messages are dropped? On Apr 22, 2013 4:24 PM, "Davide D'Amico" <davide.damico@gmail.com> wrote:
Hi, I'm using syslog-ng OSE 3.3.8 on a FreeBSD 9.1 amd64 box on a centralized server (DELL R610, 32GB ram, ZFS with compressed filesystem) and 150 servers with syslog-ng that logs locally and send remotely their logs stream to the centralized syslog-ng. Sometime I see packets dropped, so I think I'm missing something on its configuration.
That's what I'm using: - generic server: @version: 3.3
options { perm(0644); dir_perm(0750); create_dirs(yes); group (logs); dir_group (logs); log_fifo_size(10000); use_fqdn(yes); keep_hostname(yes); chain_hostnames(no); stats_freq(3600); };
source s_local { unix-dgram("/var/run/log"); unix-dgram("/var/run/logpriv" perm(0600)); internal(); file("/dev/klog"); };
destination d_local { file("/var/log/syslog-ng/$YEAR/$MONTH/$DAY/$FACILITY.log"); };
destination d_remote { tcp("10.0.0.9" port(514)); };
log { source(s_local); destination(d_local); destination(d_remote); };
- centralized log server: @version: 3.3
options { perm(0644); dir_perm(0755); create_dirs(yes); group (logs); dir_group (logs); use_fqdn(yes); keep_hostname(yes); chain_hostnames(no); stats_freq(120); log_fifo_size(10000); frac_digits(3); };
source s_local { unix-dgram("/var/run/log" max_connections(20)); unix-dgram("/var/run/logpriv" perm(0600) max_connections(20)); internal(); file("/dev/klog"); };
filter f_localhost { netmask( "127.0.0.1" ); };
filter f_network6 { netmask( "172.16.6.0/255.255.255.0" ); };
destination d_local { file("/tank/syslog/custom/localhost/$YEAR/$MONTH/$DAY/$FACILITY.log"); };
source s_network { udp(ip("10.0.0.9") so_rcvbuf(16777216)); tcp(ip("10.0.0.9") port(514) log_fetch_limit(100) max_connections(200) log_iw_size(20000) so_rcvbuf(16777216)); };
filter f_www_host { host("www1.domain.lan") or host("www2.domain.lan") or host("www3.domain.lan"); };
[...]
filter f_www_fac { facility(local6); };
[...]
destination d_www { file("/tank/syslog-ng/custom/www/$YEAR/$MONTH/$DAY/$FACILITY.log"); };
[...]
log { source(s_network); filter(f_www_host); filter(f_www_fac); destination(d_www); };
Thanks, -- d.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (2)
-
Balazs Scheidler
-
Davide D'Amico