I need to tail a bunch of application logs that aren't in syslog format and send them to a remote server. I've configured this: source s_tail { file(/var/log/chaotic_debug_log follow_freq(1) flags(no-parse)); }; destination remote { tcp("my_syslogserver.com" port(514)); }; log { source(s_tail); destination(remote); }; syslog-ng starts successfully and doesn't complain, but nothing happens... no logs appear remotely. I did a tcpdump on the syslog server and nothing is showing up from this box, so I did an strace on syslog-ng and didn't see the log files being opened. Running lsof on those files didn't show anything but the writing program. syslog-ng just isn't reading the files. Is something wrong with my config? How might I troubleshoot this? The syslog-ng version is 2.1.4 on CentOS 5.4. Also, to have syslog tail multiple files, do I just add multiple entries, like this? source s_tail { file(/var/log/chaotic_debug_log1 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log2 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log3 follow_freq(1) flags(no-parse)); }; Any help is appreciated. Thanks!
Hi, On Thu, Jan 13, 2011 at 7:32 PM, <maillists0@gmail.com> wrote:
I need to tail a bunch of application logs that aren't in syslog format and send them to a remote server. I've configured this:
source s_tail { file(/var/log/chaotic_debug_log follow_freq(1) flags(no-parse)); }; destination remote { tcp("my_syslogserver.com" port(514)); }; log { source(s_tail); destination(remote); };
syslog-ng starts successfully and doesn't complain, but nothing happens... no logs appear remotely. I did a tcpdump on the syslog server and nothing is showing up from this box, so I did an strace on syslog-ng and didn't see the log files being opened. Running lsof on those files didn't show anything but the writing program. syslog-ng just isn't reading the files. Is something wrong with my config? How might I troubleshoot this? The syslog-ng version is 2.1.4 on CentOS 5.4.
Could you post your configfile? In theory the above should work. BTW using the latest syslog-ng versions you could also use custom parsers for reading logfiles.
Also, to have syslog tail multiple files, do I just add multiple entries, like this?
source s_tail { file(/var/log/chaotic_debug_log1 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log2 follow_freq(1) flags(no-parse)); }; source s_tail { file(/var/log/chaotic_debug_log3 follow_freq(1) flags(no-parse)); };
This won't work because you're redefining the same source so the last definition wins. Either group all file() statements into a single source definition or create a unique source for every files. I prefer the former (otherwise a lot of extra log sections has to get created), so the source definition would look like source s_tailedfiles { file("myfile1" follow_freq(1)); file("myfile2" follow_freq(1)); ... }; Regards, Sandor
This won't work because you're redefining the same source so the last definition wins. Either group all file() statements into a single source definition or create a unique source for every files. I prefer the former (otherwise a lot of extra log sections has to get created), so the source definition would look like
source s_tailedfiles { file("myfile1" follow_freq(1)); file("myfile2" follow_freq(1)); ... };
Regards,
Sandor
Thanks so much for the answer. Almost as soon as I sent this, I realized I'd made a typo that wasn't enough to cause syslog-ng to choke but did cause it to fail. Now that it's working, sort of, I have another issue that I don't understand. On the remote server, I have these stanzas: options { sync (0); time_reopen (10); stats(43200); log_fifo_size (1000); long_hostnames (off); chain_hostnames (no); keep_hostname (yes); use_dns (yes); dns_cache (yes); use_fqdn (no); create_dirs (yes); dir_perm(0750); perm(0640); dir_group(1000); }; destination d_r_mesg { file("/data/$HOST/messages"); }; destination d_r_auth { file("/data/$HOST/secure"); }; destination d_r_mail { file("/data/$HOST/maillog"); }; destination d_r_spol { file("/data/$HOST/spooler"); }; destination d_r_boot { file("/data/$HOST/boot.log"); }; destination d_r_cron { file("/data/$HOST/cron"); }; destination d_r_kernel { file("/data/$HOST/kernel"); }; So right now, my application log messages are all going to /data/$HOST/messages, but I need to keep the name of the original log file and reproduce it on the remote server. So myfile1 would show up as /data/$HOST/myfile1 on the remote server. Do I need to create a macro on the client for that, and a corresponding destination on the server? Again, thanks for your help.
participants (2)
-
maillists0@gmail.com
-
Sandor Geller