[syslog-ng] importing old syslog-ng messages
Mike
mike at jeke.fdns.net
Wed Nov 5 22:30:29 CET 2008
this is a pretty basic example, but hopefully it helps:
(note: these are only partial config files!)
so lets say right now you have something like this:
source s_UDP { udp(); };
filter f_firewall {
match ("iptables") or
match ("PIX");
};
destination d_loghost { udp(192.168.1.1 port(514)); };
log { source (s_UDP);
filter (f_firewall);
destination (d_loghost);
};
so now, anything coming in on UDP port 514, and contains either iptables,
or PIX will be forwarded on to another server (192.168.1.1).
but if I want to bring in logs from last week that I have in a file
/home/operator/old_logs.txt, I would adjust hte syslog-ng.conf to look
like this:
source s_UDP { udp(); };
source s_pipe { pipe ("/var/syslog_ng_pipe"); };
filter f_firewall {
match ("iptables") or
match ("PIX");
};
destination d_loghost { udp(192.168.1.1 port(514)); };
log { source (s_UDP);
source (s_pipe);
filter (f_firewall);
destination (d_loghost);
};
I would then run the following comands (as the root user):
mkfifo /var/syslog_ng_pipe
/etc/init.d/syslog-ng restart
cat /home/operator/old_logs.txt > /var/syslog_ng_pipe
if you are concerned about uptime on your syslog-ng process, you could
copy the config file to a new file, then fire up a new syslog-ng process
to handle the data from the pipe (and not from the network). buut! you
gotta make sure that your destination is OK with having two incoming
data streams.
cheers,
Mike
On Wed, 5 Nov 2008, Daniel L. Spells Sr. wrote:
> Mike,
>
> Thanks. If you wouldn't mind sending a config example it would be much
> appreciated.
>
> Daniel
>
> On Wed, November 5, 2008 14:51, Mike wrote:
>> Heya,
>>
>>
>> when ever I have to replay old logs back into syslog-ng, I create a FIFO
>> on the file system, and make syslog-ng listen to that pipe.
>>
>> you can then cat which ever old files you have into that pipe, and
>> syslog-ng will handle them like they are new.
>>
>> just make sure that you have syslog-ng configured to use that pipe
>> source() when sending it to your database.
>>
>> I can provide config example of what I just said if you want.
>>
>>
>>
>> Mike
>>
>>
>> On Wed, 5 Nov 2008, Daniel L. Spells Sr. wrote:
>>
>>
>>> Sirs,
>>>
>>>
>>> Is there a way to import /var/log/messages, created by syslog-ng, into
>>> syslog-ng to be placed into a database?
>>>
>>> Daniel
>>>
>>>
>>> _______________________________________________________________________
>>> _______
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>> _________________________________________________________________________
>> _____
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
More information about the syslog-ng
mailing list