[syslog-ng] Alternate logging destination

[Alexander Clouter]

Hi,

Szeti, Balazs <szeti.balazs at hp.com> [20061106 18:18:46 +0100]:
>
> Thanks for the aswers, but as I wrote before, I'm rather affraid of
> network connection error (I'll have failover servers in the center, but
> the network line is a SPOF). Unfortunately syslog-ng doesn't give any
> response if a destination is unreachable (e.g. the destination file is
> deleted!). It writes in the internal log if it couldn't connect to
> destination TCP port on startup, but no error log or negative response
> when trying to send the log over the "missing" destination (file or
> TCP). So I can't find out whether my logging was succesfull or not.
> 
What I would do is get each of the end 'nodes' to log to some partition on 
the local machine and then rsync/scp/ftp/whatever any log files that have not 
been successfully transferred over every hour/day/week.

If you want a *guarentee* system then you usually are comprimising on the 
'liveness' of the data on the central machine.  If you do not care about an 
hour lag (or even a day) then I would log locally and transfer the files 
using a cron job.

If you need live data too then you could use a combination of both syslog 
over the network and this scheduled reliable uploading of your log data.

To confirm the otherend got the logs intact you could just md5sum your log 
files at either end.

Cheers

Alex

> Balazs
> 
> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Alexander
> Clouter
> Sent: Monday, November 06, 2006 5:46 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] Alternate logging destination
> 
> Hi,
> 
> Szeti, Balazs <szeti.balazs at hp.com> [20061106 16:33:57 +0100]:
> >
> > Hello!
> > 
> > I would like to design a centralized logging system with 50 edge nodes
> 
> > and one center.
> > It's quiet important to have all the logs even if the center is 
> > unreachable. Is there a way to configure syslog-ng to use an alternate
> 
> > destination? For example if the centralized TCP destionation server is
> 
> > down, the edge node syslog-ng may log in to a local file, so the logs 
> > can be reached later manually. When the center server in online again 
> > syslog-ng may log online again.
> > 
> > Any ideas?
> > 
> Its all over UDP but I helped add multicast support to to do just this.
> The network duplicates the syslog messages to each 'core' syslog server
> so it does not matter if one f the boxes disappears.
> 
> I'm still pondering about sync'ing/diff'ing the differences[1] however
> for the effort you would need to put in for a heartbeat system, this
> solution wins...in my book anyway :)
> 
> Cheers
> 
> Alex
> 
> [1] I don't think its a big problem as you really only need to bear that
> 
> 	there could be differences and so should grep both log files for
> the 
> 	time frame
> 
> > Thanks in advance:
> > Balazs
> > _______________________________________________
> > syslog-ng maillist  -  syslog-ng at lists.balabit.hu 
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> > 
> > 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>