[syslog-ng] 答复: Need help to send logs to a different server

Geller, Sandor (IT) Sandor.Geller at morganstanley.com
Tue Dec 9 09:22:32 CET 2008


Hi,

The f_everthing filter matches on all logs so it is redundant,
you could omit it (using filters is optional in the log sections).

To forward the logs to a second server the easiest would be to
add the host to the everything destination like this:

destination everything {
        file("/var/log/remotes/$HOST/$HOST-all-system.logs"); };
        tcp(1.2.3.4 port(5));
};

Obviously replace the IP address and the port with valid values,
and when the second server doesn't support tcp then you should
use udp.

BTW you should add the log_prefix option to your kernel source
to mimic syslogd's behaviour:

        file("/proc/kmsg" log_prefix("kernel: "));

hth,

Sandor

> -----Original Message-----
> From: syslog-ng-bounces at lists.balabit.hu
> [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Lavannya
> Sent: Monday, December 08, 2008 7:18 PM
> To: Syslog-ng users' and developers' mailing list
> Subject: Re: [syslog-ng] 答复: Need help to send logs to a
> different server
>
> Hi Mark,
>
> Thanks for your reply.  I am getting error whatever
> configuration you had said.  May be  I need to change our
> existing configuration again.  Here is the central  log
> server  configuration I am sending as attachment. Our central
>  log server  is already configured  with  tcp(ip(0.0.0.0) ip
> and when  I am adding the new  server  to collect the log it
> is giving error.
>
>   - I want to add another  server (this is needed for some
> application )
>     to my central log server which  will
>     get all the logs  from the central log  server.
>
> Pl. feel free to correct  the log file and send it to me.
>
> Thanks again
>
>
>
>
>
> --- On Mon, 12/8/08, Marc Andersen <man at inspektsecurity.com> wrote:
>
> > From: Marc Andersen <man at inspektsecurity.com>
> > Subject: Re: [syslog-ng] 答复:  Need help to send logs to a
> different server
> > To: "Syslog-ng users' and developers' mailing list"
> <syslog-ng at lists.balabit.hu>
> > Date: Monday, December 8, 2008, 8:04 AM
> > If the central syslog server is running syslog-ng you can
> > just add another destination (live log server) to the
> > already existing local files.
> >
> > log{
> > source (udp/tcp incoming);
> > destination(new live log server);
> > };
> >
> > cheers
> > /Marc
> >
> >
> > On 07/12/08 16.03, "Lavannya"
> > <swap_project at yahoo.com> wrote:
> >
> > Yes ,  from the client  we can ,  but I think if you read
> > my mail properly, I clearly written that my requirement is
> > NOT, to get the logs from the client.  I want  to set one
> > server , which will get  all the information from the
> > central log master. Yes , I know it can be done through
> > ssh/rsync. But I wanted to know , if there is any option in
> > syslog-ng .
> >
> > Thanks
> >
> >
> >
> > --- On Fri, 12/5/08, liuruihong
> > <liuruihong at baidu.com> wrote:
> >
> > > From: liuruihong <liuruihong at baidu.com>
> > > Subject: 答复: [syslog-ng] Need help to send logs to
> > a different server
> > > To: swap_project at yahoo.com, "'Syslog-ng
> > users' and developers' mailing list'"
> > <syslog-ng at lists.balabit.hu>
> > > Date: Friday, December 5, 2008, 3:23 AM
> > > in the client,you can define many remote log server
> > > simultaneously.syslog
> > > and syslog-ng all support this function.
> > > You can find in the manual:)
> > >
> > >
> > > 谢谢!
> > >
> > > 刘蕊红 |sys|6758
> > >
> > > -----邮件原件-----
> > > 发件人: syslog-ng-bounces at lists.balabit.hu
> > > [mailto:syslog-ng-bounces at lists.balabit.hu] 代表
> > Swapna
> > > 发送时间: 2008年12月5日 4:17
> > > 收件人: syslog-ng at lists.balabit.hu
> > > 主题: [syslog-ng] Need help to send logs to a
> > different
> > > server
> > >
> > > Hi,
> > >
> > >
> > > We have syslog-ng configuration  as follows:
> > >
> > >    -  There are 50 clients  communicating to one log
> > server
> > >
> > >    -  The  log server is kept in secured place where
> > nobody
> > > have access
> > >
> > >    -  All the logs  of 50 clients  are coming to the
> > log
> > > server  and
> > >       the logs are kept  as follow
> > >
> > >           /var/log/syslog-ng/<client
> > > host>/extended.log
> > >
> > >
> > > We want  all the log of each client  to relay into a
> > > seperate server live.
> > > Means the  current log  file of each  host will go to
> > the
> > > new server
> > > simultaneously  as  it is going to the central log
> > server.
> > >
> > >
> > > We can configure a  second  log server  like the
> > existing
> > > one.  But our
> > > requirement  is,  that all the logs will be received
> > from
> > > the central log
> > > server not from the client  hosts.
> > >
> > > Any help is  really appreciated.
> > >
> > > Thanks
> > >
> > >
> > >
> > >
> > >
> >
> ______________________________________________________________
> ______________
> > > __
> > > Member info:
> > > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > > Documentation:
> > >
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> >
> ______________________________________________________________
> ________________
> > Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
> >
> >
> >
> ______________________________________________________________
> ________________
> > Member info:
> > https://lists.balabit.hu/mailman/listinfo/syslog-ng
> > Documentation:
> > http://www.balabit.com/support/documentation/?product=syslog-ng
> > FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
--------------------------------------------------------

NOTICE: If received in error, please destroy and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error.


More information about the syslog-ng mailing list