[syslog-ng] multiple source/destination setup

William Bell williamb at cwie.net
Wed Jun 29 01:31:06 CEST 2005 

For a while now I have been using a configuration that includes 3
sources (remote udp, remote tcp, internal) and 3 destinations ( remote
archive, local, loopback for an analyzer). Today I tried to move this
setup that works on all levels to another machine. This new machine has
an EXTREMELY large udp traffic base. About 7.5gb of syslog per day. The
setup of the new machine is exactly the same the only variable is this
large traffic volume. Now, to the problem.

 

I am receiving all the syslog on the remote destination archive across
normal syslog export mechanisms. However the two log destinations under
it are not receiving the "copies" of the logs. I was wondering if anyone
else uses syslog-ng to log large pix firewall syslog traffic, and have
seen anything similar. My theory is that syslog-ng is just not keeping
up with the speed that its receiving data.

 

Here is a copy of the conf file with only the private info adjusted.

 

options {

        long_hostnames(off);

        chain_hostnames(yes);

        log_fifo_size(0);

        stats(5);

        sync(1);

        time_reopen(5);

        time_reap(20);

        use_dns(no);

        use_fqdn(yes);

        use_time_recvd(no);

        };

## Normal syslog domain socket

source devlog { unix-dgram("/dev/log"); };

source r_tcp { tcp(ip(0.0.0.0) port(514) max-connections(200)); };

source r_udp { udp(ip(0.0.0.0) port(514)); };

 

## This stuff goes straight to the syslog server

destination xxxx { tcp('X.X.X.X' port(514)); };

destination r_all { file("/var1/syslog/$HOST-$MONTH-$DAY"); };

destination AAAAAAA { file("/var1/AAAAAAA/$FACILITY" create_dirs(yes) );
};

destination analyzer { tcp('localhost' port(10000)); };

################################################################

filter fil_local7 { facility(local7); };

filter fil_local4 { facility(local4); };

 

## syslog-ng messages like STATS, etc

## This also tells us when it can't find a source (i.e. Hermes)

source int { internal(); };

 

log {

source(int);

source(devlog);

source(r_tcp);

source(r_udp);

 

destination(xxxx); <<<WORKS

destination(analyzer); <<< DOESN'T WORK

};

 

log {

source(r_udp);

destination(AAAAAAAA); <<< DOESN'T WORK

};

 

log {

   source(int);

   source(devlog);

   destination(r_all);<<<WORKS

   flags(final); ## Stop processing rules

};

 

 

 

WillyBeamenHere 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20050628/c5f1cbc5/attachment.html

More information about the syslog-ng mailing list