Hi everybody, I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server. I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0. I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters. I'have tested with: p: 1 000 n: 1 000 m: 1 000 Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal. I've googled my issue and tried to play on log_fifo_size(), max_connections() and sync() on both server and client but nothing to do ... Here is my client configuration file: options { chain_hostnames(0); time_reopen(10); time_reap(360); log_fifo_size(2048); create_dirs(yes); group(adm); perm(0640); dir_perm(0755); use_dns(no); stats_freq(0); bad_hostname("^gconfd$"); }; source s_all { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); }; destination dn_fslog { tcp("xxx.xxx.xxx.xxx" port(514)); }; filter f_local5 { facility(local5); }; log { source(s_all); filter(f_local5); destination(dn_fslog); }; # for all my apache vhosts destination df_access_www.foo.com { file("/var/www/www.foo.com/logs/access.log"); }; filter f_local0_access_www.foo.com { level(info) and facility(local0) and program("www\.foo\.com"); }; log { source(s_all); filter(f_local0_access_www.foo.com); destination(df_access_www.foo.com); destination(dn_fslog); }; destination df_error_www.foo.com { file("/var/www/www.foo.com/logs/error.log"); }; filter f_local0_error_www.foo.com { level(error) and facility(local0) and program("www\.foo\.com"); }; log { source(s_all); filter(f_local0_error_www.foo.com); destination(df_error_www.foo.com); destination(dn_fslog); }; etc with www.foo2.com Here is my server configuration file: options { chain_hostnames(0); time_reopen(10); time_reap(360); log_fifo_size(2048); create_dirs(yes); group(adm); perm(0640); dir_perm(0755); use_dns(no); stats_freq(0); bad_hostname("^gconfd$"); }; source s_net { tcp(ip(xxx.xxx.xxx.xxx) port(514)); }; destination df_net_access_aaa.aaa.aaa.aaa-www.foo.com { file("/logs/www.foo.com/aaa.aaa.aaa.aaa-access.log"); }; filter f_local0_access_aaa.aaa.aaa.aaa-www.foo.com { level(info) and facility(local0) and program("www\.foo\.com") and host("aaa\.aaa\.aaa\.aaa"); }; log { source(s_net); filter(f_local0_access_aaa.aaa.aaa.aaa-www.foo.com); destination(df_net_access_aaa.aaa.aaa.aaa-www.foo.com); }; destination df_net_error_aaa.aaa.aaa.aaa-www.foo.com { file("/logs/www.foo.com/aaa.aaa.aaa.aaa-error.log"); }; filter f_local0_error_aaa.aaa.aaa.aaa-www.foo.com { level(error) and facility(local0) and program("www\.foo\.com") and host("aaa\.aaa\.aaa\.aaa"); }; log { source(s_net); filter(f_local0_error_aaa.aaa.aaa.aaa-www.foo.com); destination(df_net_error_aaa.aaa.aaa.aaa-www.foo.com); }; etc with aaa.aaa.aaa.bbb and www.foo2.com Just to give you a number I'm speaking about 20 web servers with 20 load balanced websites on each. Servers are on a Gigabit networks with bonded Gigabit interfaces. It is running on Linux 2.6.24-etchnhalf.1-686-bigmem. Maybe syslog-ng cannot handle 400 different filter rules but it would suprize me. If it's the case, in there any better way to separate, for instance, apache error and access log for in each server, in a file name /logs/<project = progname>/<ip>-access.log and /logs/<project = progname>/<ip>-error.log ? I don't think my hardware is in cause because cpu average 98% idle and no io wait. Can you tell me what I misunderstood or simply what's wrong in my configuration files. Or, it may work better with a 3.x version compiled with some options ? Thanks in advance. Regards, Rémi
Remi, just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel? Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging? regards, Siem Korteweg -----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] syslog-ng performance tuning Hi everybody, I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server. I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0. I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters. I'have tested with: p: 1 000 n: 1 000 m: 1 000 Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
Siem, Thanks for trying helping me. My ulimit value was unlimited. All my processes write <log$pid>m characters</log> so each process have its own n unique lines. I added a destination for my local5 which is the file /root/test.log. I tried: ./test_syslog.pl -p 5 -n 100 -m 1000 on log client: # wc -l /root/test.log 500 test.log on log server: # wc -l test.log 0 test.log Then: ./test_syslog.pl -p 1000 -n 1000 -m 1000 on log client: # wc -l /root/test.log 756688 test.log on log server: # wc -l test.log 9042 test.log The client outputs: ... Finished 9857! ... Finished 10904! ... So randomly near the firsts and lasts processes spawned: client# grep 10904 test.log | wc -l 0 client# grep 9857 test.log | wc -l 1000 server# grep 9857 test.log | wc -l 4 Sample of log: Feb 15 10:01:05 xxxx logger: <log9857>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</log> So, clearly the log server do not receive all logs but the client do not seem to be able to process a large amount of logging message. Each test result number is nearly the same. It's good to see there is no random in my tests ;-) Do you see the thing which make it not working ? Siem Korteweg wrote:
Remi,
just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel?
Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging?
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] syslog-ng performance tuning
Hi everybody,
I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server.
I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0.
I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters.
I'have tested with: p: 1 000 n: 1 000 m: 1 000
Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
I compiled version 2.1.14 but nothing has changed. I removed all my configuration and put configuration mentionned on this blog: http://bazsi.blogs.balabit.com/2007/12/syslog-ng-fun-with-performance.html syslog-ng-server:~# loggen -s 150 -r 100000 -S 127.0.0.1 2000 average rate = 65539.50 msg/sec, count=655395 syslog-ng-client:~# loggen -r 100000 -s 150 -i -S xxx.xxx.xxx.xxx 2000 average rate = 22832.30 msg/sec, count=228323 I wone 2 000 msg/sec upgrading my kernel to 2.6.26. Is there any TCP sysctl flag I can enable to make TCP connection to syslog server better that you have in mind ? Rémi BUISSON wrote:
Siem,
Thanks for trying helping me.
My ulimit value was unlimited. All my processes write <log$pid>m characters</log> so each process have its own n unique lines.
I added a destination for my local5 which is the file /root/test.log.
I tried: ./test_syslog.pl -p 5 -n 100 -m 1000
on log client: # wc -l /root/test.log 500 test.log
on log server: # wc -l test.log 0 test.log
Then: ./test_syslog.pl -p 1000 -n 1000 -m 1000
on log client: # wc -l /root/test.log 756688 test.log
on log server: # wc -l test.log 9042 test.log
The client outputs: ... Finished 9857! ... Finished 10904! ...
So randomly near the firsts and lasts processes spawned:
client# grep 10904 test.log | wc -l 0 client# grep 9857 test.log | wc -l 1000
server# grep 9857 test.log | wc -l 4
Sample of log: Feb 15 10:01:05 xxxx logger: <log9857>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000</log>
So, clearly the log server do not receive all logs but the client do not seem to be able to process a large amount of logging message.
Each test result number is nearly the same. It's good to see there is no random in my tests ;-)
Do you see the thing which make it not working ?
Siem Korteweg wrote:
Remi,
just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel?
Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging?
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] syslog-ng performance tuning
Hi everybody,
I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server.
I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0.
I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters.
I'have tested with: p: 1 000 n: 1 000 m: 1 000
Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
Hi, For those who are interested in, I solved my issue. The problem was I had too many filter rules. Using macros, I reduce about 600 rules to 3. Now I get my syslog server working and no more lost messages. Rémi Rémi BUISSON wrote:
I compiled version 2.1.14 but nothing has changed.
I removed all my configuration and put configuration mentionned on this blog: http://bazsi.blogs.balabit.com/2007/12/syslog-ng-fun-with-performance.html
syslog-ng-server:~# loggen -s 150 -r 100000 -S 127.0.0.1 2000 average rate = 65539.50 msg/sec, count=655395
syslog-ng-client:~# loggen -r 100000 -s 150 -i -S xxx.xxx.xxx.xxx 2000 average rate = 22832.30 msg/sec, count=228323
I wone 2 000 msg/sec upgrading my kernel to 2.6.26.
Is there any TCP sysctl flag I can enable to make TCP connection to syslog server better that you have in mind ?
Rémi BUISSON wrote:
Siem,
Thanks for trying helping me.
My ulimit value was unlimited. All my processes write <log$pid>m characters</log> so each process have its own n unique lines.
I added a destination for my local5 which is the file /root/test.log.
I tried: ./test_syslog.pl -p 5 -n 100 -m 1000
on log client: # wc -l /root/test.log 500 test.log
on log server: # wc -l test.log 0 test.log
Then: ./test_syslog.pl -p 1000 -n 1000 -m 1000
on log client: # wc -l /root/test.log 756688 test.log
on log server: # wc -l test.log 9042 test.log
The client outputs: ... Finished 9857! ... Finished 10904! ...
So randomly near the firsts and lasts processes spawned:
client# grep 10904 test.log | wc -l 0 client# grep 9857 test.log | wc -l 1000
server# grep 9857 test.log | wc -l 4
Sample of log: Feb 15 10:01:05 xxxx logger: <log9857>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000</log>
So, clearly the log server do not receive all logs but the client do not seem to be able to process a large amount of logging message.
Each test result number is nearly the same. It's good to see there is no random in my tests ;-)
Do you see the thing which make it not working ?
Siem Korteweg wrote:
Remi,
just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel?
Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging?
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] syslog-ng performance tuning
Hi everybody,
I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server.
I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0.
I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters.
I'have tested with: p: 1 000 n: 1 000 m: 1 000
Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
Do you think you can you share your modified config? thanks On Fri, Feb 19, 2010 at 2:27 AM, Rémi BUISSON <rbuisson@steek.com> wrote:
Hi,
For those who are interested in, I solved my issue.
The problem was I had too many filter rules. Using macros, I reduce about 600 rules to 3.
Now I get my syslog server working and no more lost messages.
Rémi
Rémi BUISSON wrote:
I compiled version 2.1.14 but nothing has changed.
I removed all my configuration and put configuration mentionned on this blog: http://bazsi.blogs.balabit.com/2007/12/syslog-ng-fun-with-performance.html
syslog-ng-server:~# loggen -s 150 -r 100000 -S 127.0.0.1 2000 average rate = 65539.50 msg/sec, count=655395
syslog-ng-client:~# loggen -r 100000 -s 150 -i -S xxx.xxx.xxx.xxx 2000 average rate = 22832.30 msg/sec, count=228323
I wone 2 000 msg/sec upgrading my kernel to 2.6.26.
Is there any TCP sysctl flag I can enable to make TCP connection to syslog server better that you have in mind ?
Rémi BUISSON wrote:
Siem,
Thanks for trying helping me.
My ulimit value was unlimited. All my processes write <log$pid>m characters</log> so each process have its own n unique lines.
I added a destination for my local5 which is the file /root/test.log.
I tried: ./test_syslog.pl -p 5 -n 100 -m 1000
on log client: # wc -l /root/test.log 500 test.log
on log server: # wc -l test.log 0 test.log
Then: ./test_syslog.pl -p 1000 -n 1000 -m 1000
on log client: # wc -l /root/test.log 756688 test.log
on log server: # wc -l test.log 9042 test.log
The client outputs: ... Finished 9857! ... Finished 10904! ...
So randomly near the firsts and lasts processes spawned:
client# grep 10904 test.log | wc -l 0 client# grep 9857 test.log | wc -l 1000
server# grep 9857 test.log | wc -l 4
Sample of log: Feb 15 10:01:05 xxxx logger: <log9857>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000</log>
So, clearly the log server do not receive all logs but the client do not seem to be able to process a large amount of logging message.
Each test result number is nearly the same. It's good to see there is no random in my tests ;-)
Do you see the thing which make it not working ?
Siem Korteweg wrote:
Remi,
just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel?
Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging?
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu Onderwerp: [syslog-ng] syslog-ng performance tuning
Hi everybody,
I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server.
I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0.
I wrote a perl program which spawn p "logger -p local5.info" processes and send n lines of m characters.
I'have tested with: p: 1 000 n: 1 000 m: 1 000
Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE [image: http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...]
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE [image: http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...]
------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE [image: http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...]
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Yes, of course, please find configuration files in attachment. This is customed debian based configuration so maybe you will have to tune it. The syslog server logs local2 (custom program which logs on local2) and apache error/access logs on local0. For apache you will need this kind of lines in your vhost configuration files: ErrorLog "|/usr/bin/logger -p local0.error -t www.test.com" CustomLog "|/usr/bin/logger -p local0.info -t www.test.com" combined The server will log apache logs on : /logs/www.test.com/<ip_client>-access.log /logs/www.test.com/<ip_client>-error.log If it cans help you I attached my logrotate configuration too. It rotates every 40 days and tar the month rotated. So you will have every apache logs gzipped in one tar.gz. Regards. fedora fedora wrote:
Do you think you can you share your modified config? thanks
On Fri, Feb 19, 2010 at 2:27 AM, Rémi BUISSON <rbuisson@steek.com <mailto:rbuisson@steek.com>> wrote:
Hi,
For those who are interested in, I solved my issue.
The problem was I had too many filter rules. Using macros, I reduce about 600 rules to 3.
Now I get my syslog server working and no more lost messages.
Rémi
Rémi BUISSON wrote:
I compiled version 2.1.14 but nothing has changed.
I removed all my configuration and put configuration mentionned on this blog: http://bazsi.blogs.balabit.com/2007/12/syslog-ng-fun-with-performance.html
syslog-ng-server:~# loggen -s 150 -r 100000 -S 127.0.0.1 2000 average rate = 65539.50 msg/sec, count=655395
syslog-ng-client:~# loggen -r 100000 -s 150 -i -S xxx.xxx.xxx.xxx 2000 average rate = 22832.30 msg/sec, count=228323
I wone 2 000 msg/sec upgrading my kernel to 2.6.26.
Is there any TCP sysctl flag I can enable to make TCP connection to syslog server better that you have in mind ?
Rémi BUISSON wrote:
Siem,
Thanks for trying helping me.
My ulimit value was unlimited. All my processes write <log$pid>m characters</log> so each process have its own n unique lines.
I added a destination for my local5 which is the file /root/test.log.
I tried: ./test_syslog.pl <http://test_syslog.pl> -p 5 -n 100 -m 1000
on log client: # wc -l /root/test.log 500 test.log
on log server: # wc -l test.log 0 test.log
Then: ./test_syslog.pl <http://test_syslog.pl> -p 1000 -n 1000 -m 1000
on log client: # wc -l /root/test.log 756688 test.log
on log server: # wc -l test.log 9042 test.log
The client outputs: ... Finished 9857! ... Finished 10904! ...
So randomly near the firsts and lasts processes spawned:
client# grep 10904 test.log | wc -l 0 client# grep 9857 test.log | wc -l 1000
server# grep 9857 test.log | wc -l 4
Sample of log: Feb 15 10:01:05 xxxx logger: <log9857>000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000</log>
So, clearly the log server do not receive all logs but the client do not seem to be able to process a large amount of logging message.
Each test result number is nearly the same. It's good to see there is no random in my tests ;-)
Do you see the thing which make it not working ?
Siem Korteweg wrote:
Remi,
just to make sure. Do your ulimit settings allow you to spawn the p (1000) processes in paralel?
Considering your test. Did each instance of the test program write it's own unique lines and can you see whether some processes did not make it to syslog or that all processes produced partial logging?
regards,
Siem Korteweg
-----Oorspronkelijk bericht----- Van: syslog-ng-bounces@lists.balabit.hu <mailto:syslog-ng-bounces@lists.balabit.hu> namens Rémi BUISSON Verzonden: vr 12-2-2010 17:51 Aan: syslog-ng@lists.balabit.hu <mailto:syslog-ng@lists.balabit.hu> Onderwerp: [syslog-ng] syslog-ng performance tuning
Hi everybody,
I'have an issue with syslog-ng configuration. I would like to centralize my logs on one server.
I've a lot of logs to send. I don't know how many but I can estimate it to 500GB per day from decades of servers. But, it writes only 25 GB per day. For some reasons I work on a debian etchnhalf environnement. So, I'm working with syslog-ng 2.0.0.
I wrote a perl program which spawn p "logger -p local5.info <http://local5.info>" processes and send n lines of m characters.
I'have tested with: p: 1 000 n: 1 000 m: 1 000
Instead of having 1 000 000 lines in my logs I have nearly 10 000 lines ! But my test was not revelant because normal logs where not stopped. So, maybe normal.
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
------------------------------------------------------------------------
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/...
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- Rémi BUISSON - IT Engineer F-Secure Storage & Digital Content 7, rue Raymond Manaud 33524 BORDEAUX Bruges Cedex FRANCE http://www.f-secure.com/export/system/modules/com.fsecure.frontend.newbrand/... # # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior # the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) #sync(0); # the number of lines fitting in the output queue log_fifo_size(2048); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); #Disable statistic log messages. stats_freq(0); # Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv, local0, local2, local3, local4); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news,local0,local2,local3,local4); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); }; # mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); }; # mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(df_messages); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; # net logs destination dn_syslog-server { tcp("xxx.xxx.xxx.xxx" port(514)); }; filter f_local2 { facility(local2); }; log { source(s_all); filter(f_local2); destination(dn_syslog-server); }; # Apache access logs destination df_net_apache_access { file("/var/www/$PROGRAM/logs/access.log"); }; filter f_net_apache_access { level(info) and facility(local0); }; log { source(s_all); filter(f_net_apache_access); destination(dn_syslog-server); destination(df_net_apache_access); }; # Apache error logs destination df_net_apache_error { file("/var/www/$PROGRAM/logs/error.log"); }; filter f_net_apache_error { level(error) and facility(local0); }; log { source(s_all); filter(f_net_apache_error); destination(dn_syslog-server); destination(df_net_apache_error); }; # # Configuration file for syslog-ng under Debian # # attempts at reproducing default syslog behavior # the standard syslog levels are (in descending order of priority): # emerg alert crit err warning notice info debug # the aliases "error", "panic", and "warn" are deprecated # the "none" priority found in the original syslogd configuration is # only used in internal messages created by syslogd ###### # options options { # disable the chained hostname format in logs # (default is enabled) chain_hostnames(0); # the time to wait before a died connection is re-established # (default is 60) time_reopen(10); # the time to wait before an idle destination file is closed # (default is 60) time_reap(360); # the number of lines buffered before written to file # you might want to increase this if your disk isn't catching with # all the log messages you get or if you want less disk activity # (say on a laptop) # (default is 0) sync(50); # the number of lines fitting in the output queue log_fifo_size(10000); # enable or disable directory creation for destination files create_dirs(yes); # default owner, group, and permissions for log files # (defaults are 0, 0, 0600) #owner(root); group(adm); perm(0640); # default owner, group, and permissions for created directories # (defaults are 0, 0, 0700) #dir_owner(root); #dir_group(root); dir_perm(0755); # enable or disable DNS usage # syslog-ng blocks on DNS queries, so enabling DNS may lead to # a Denial of Service attack # (default is yes) use_dns(no); # maximum length of message in bytes # this is only limited by the program listening on the /dev/log Unix # socket, glibc can handle arbitrary length log messages, but -- for # example -- syslogd accepts only 1024 bytes # (default is 2048) #log_msg_size(2048); #Disable statistic log messages. stats_freq(0); # Some program send log messages through a private implementation. # and sometimes that implementation is bad. If this happen syslog-ng # may recognise the program name as hostname. Whit this option # we tell the syslog-ng that if a hostname match this regexp than that # is not a real hostname. bad_hostname("^gconfd$"); }; ###### # sources # all known message sources source s_all { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" log_prefix("kernel: ")); # use the following line if you want to receive remote UDP logging messages # (this is equivalent to the "-r" syslogd flag) # udp(); }; ###### # destinations # some standard log files destination df_auth { file("/var/log/auth.log"); }; destination df_syslog { file("/var/log/syslog"); }; destination df_cron { file("/var/log/cron.log"); }; destination df_daemon { file("/var/log/daemon.log"); }; destination df_kern { file("/var/log/kern.log"); }; destination df_lpr { file("/var/log/lpr.log"); }; destination df_mail { file("/var/log/mail.log"); }; destination df_user { file("/var/log/user.log"); }; destination df_uucp { file("/var/log/uucp.log"); }; # these files are meant for the mail system log files # and provide re-usable destinations for {mail,cron,...}.info, # {mail,cron,...}.notice, etc. destination df_facility_dot_info { file("/var/log/$FACILITY.info"); }; destination df_facility_dot_notice { file("/var/log/$FACILITY.notice"); }; destination df_facility_dot_warn { file("/var/log/$FACILITY.warn"); }; destination df_facility_dot_err { file("/var/log/$FACILITY.err"); }; destination df_facility_dot_crit { file("/var/log/$FACILITY.crit"); }; # these files are meant for the news system, and are kept separated # because they should be owned by "news" instead of "root" destination df_news_dot_notice { file("/var/log/news/news.notice" owner("news")); }; destination df_news_dot_err { file("/var/log/news/news.err" owner("news")); }; destination df_news_dot_crit { file("/var/log/news/news.crit" owner("news")); }; # some more classical and useful files found in standard syslog configurations destination df_debug { file("/var/log/debug"); }; destination df_messages { file("/var/log/messages"); }; # pipes # a console to view log messages under X destination dp_xconsole { pipe("/dev/xconsole"); }; # consoles # this will send messages to everyone logged in destination du_all { usertty("*"); }; ###### # filters # all messages from the auth and authpriv facilities filter f_auth { facility(auth, authpriv); }; # all messages except from the auth and authpriv facilities filter f_syslog { not facility(auth, authpriv); }; # respectively: messages from the cron, daemon, kern, lpr, mail, news, user, # and uucp facilities filter f_cron { facility(cron); }; filter f_daemon { facility(daemon); }; filter f_kern { facility(kern); }; filter f_lpr { facility(lpr); }; filter f_mail { facility(mail); }; filter f_news { facility(news); }; filter f_user { facility(user); }; filter f_uucp { facility(uucp); }; # some filters to select messages of priority greater or equal to info, warn, # and err # (equivalents of syslogd's *.info, *.warn, and *.err) filter f_at_least_info { level(info..emerg); }; filter f_at_least_notice { level(notice..emerg); }; filter f_at_least_warn { level(warn..emerg); }; filter f_at_least_err { level(err..emerg); }; filter f_at_least_crit { level(crit..emerg); }; # all messages of priority debug not coming from the auth, authpriv, news, and # mail facilities filter f_debug { level(debug) and not facility(auth, authpriv, news, mail); }; # all messages of info, notice, or warn priority not coming form the auth, # authpriv, cron, daemon, mail, and news facilities filter f_messages { level(info,notice,warn) and not facility(auth,authpriv,cron,daemon,mail,news); }; # messages with priority emerg filter f_emerg { level(emerg); }; # complex filter for messages usually sent to the xconsole filter f_xconsole { facility(daemon,mail) or level(debug,info,notice,warn) or (facility(news) and level(crit,err,notice)); }; ###### # logs # order matters if you use "flags(final);" to mark the end of processing in a # "log" statement # these rules provide the same behavior as the commented original syslogd rules # auth,authpriv.* /var/log/auth.log log { source(s_all); filter(f_auth); destination(df_auth); }; # *.*;auth,authpriv.none -/var/log/syslog log { source(s_all); filter(f_syslog); destination(df_syslog); }; # this is commented out in the default syslog.conf # cron.* /var/log/cron.log #log { # source(s_all); # filter(f_cron); # destination(df_cron); #}; # daemon.* -/var/log/daemon.log log { source(s_all); filter(f_daemon); destination(df_daemon); }; # kern.* -/var/log/kern.log log { source(s_all); filter(f_kern); destination(df_kern); }; # lpr.* -/var/log/lpr.log log { source(s_all); filter(f_lpr); destination(df_lpr); }; # mail.* -/var/log/mail.log log { source(s_all); filter(f_mail); destination(df_mail); }; # user.* -/var/log/user.log log { source(s_all); filter(f_user); destination(df_user); }; # uucp.* /var/log/uucp.log log { source(s_all); filter(f_uucp); destination(df_uucp); }; # mail.info -/var/log/mail.info log { source(s_all); filter(f_mail); filter(f_at_least_info); destination(df_facility_dot_info); }; # mail.warn -/var/log/mail.warn log { source(s_all); filter(f_mail); filter(f_at_least_warn); destination(df_facility_dot_warn); }; # mail.err /var/log/mail.err log { source(s_all); filter(f_mail); filter(f_at_least_err); destination(df_facility_dot_err); }; # news.crit /var/log/news/news.crit log { source(s_all); filter(f_news); filter(f_at_least_crit); destination(df_news_dot_crit); }; # news.err /var/log/news/news.err log { source(s_all); filter(f_news); filter(f_at_least_err); destination(df_news_dot_err); }; # news.notice /var/log/news/news.notice log { source(s_all); filter(f_news); filter(f_at_least_notice); destination(df_news_dot_notice); }; # *.=debug;\ # auth,authpriv.none;\ # news.none;mail.none -/var/log/debug log { source(s_all); filter(f_debug); destination(df_debug); }; # *.=info;*.=notice;*.=warn;\ # auth,authpriv.none;\ # cron,daemon.none;\ # mail,news.none -/var/log/messages log { source(s_all); filter(f_messages); destination(df_messages); }; # *.emerg * log { source(s_all); filter(f_emerg); destination(du_all); }; # daemon.*;mail.*;\ # news.crit;news.err;news.notice;\ # *.=debug;*.=info;\ # *.=notice;*.=warn |/dev/xconsole log { source(s_all); filter(f_xconsole); destination(dp_xconsole); }; # net logs source s_net { tcp(ip(10.31.10.8) port(514)); }; # Apache access logs destination df_net_apache_access { file("/logs/$PROGRAM/$HOST_FROM-access.log" group("support")); }; filter f_net_apache_access { level(info) and facility(local0); }; log { source(s_net); filter(f_net_apache_access); destination(df_net_apache_access); }; # Apache error logs destination df_net_apache_error { file("/logs/$PROGRAM/$HOST_FROM-error.log" group("support")); }; filter f_net_apache_error { level(error) and facility(local0); }; log { source(s_net); filter(f_net_apache_error); destination(df_net_apache_error); }; # Local2 logs destination df_net_local2 { file("/logs/$PROGRAM/$HOST_FROM-$FACILITY.log" group("support")); }; filter f_net_local2 { facility(local2) and program("([a-zA-Z0-9]+[\-\.]+)+[a-zA-Z0-9]+"); }; log { source(s_net); filter(f_net_local2); destination(df_net_local2); }; # Not matched logs destination df_net_chandernagor_nm { file("/logs/default/$HOST_FROM-$FACILITY.log" group("support")); }; filter f_net_chandernagor_nm { facility(local2) and not program("([a-zA-Z0-9]+[\-\.]+)+[a-zA-Z0-9]+"); }; log { source(s_net); filter(f_net_chandernagor_nm); destination(df_net_chandernagor_nm); }; /logs/*/*-access.log /logs/*/*-error.log { create 0640 root support dateext daily rotate 40 missingok compress delaycompress notifempty postrotate fullname=`echo $1 | sed -r 's/\.log//'` basename=`basename $fullname` dirname=`dirname $fullname` date=`date +%Y%m` if [[ `date +%-d` -le 2 ]]; then date="" if [[ `date +%-m` -eq 1 ]]; then date="$((`date +%Y`-1))12" else date="`date +%Y`" month=$((`date +%-m`-1)) if [[ $month -le 9 ]]; then date=${date}0${month} else date=${date}${month} fi fi fi cd ${dirname} tar cfvz ${dirname}/${basename}-${date}.tgz ${basename}.log-${date}*.gz kill -HUP `cat /var/run/syslog-ng.pid` endscript }
participants (3)
-
fedora fedora
-
Rémi BUISSON
-
Siem Korteweg