[syslog-ng] importing old syslog-ng messages
Daniel L. Spells Sr.
daniel at smolderinggenius.com
Wed Nov 5 22:24:40 CET 2008
Mike,
Thanks. I was close but not sure.
Daniel
On Wed, November 5, 2008 15:30, Mike wrote:
>
> this is a pretty basic example, but hopefully it helps:
>
> (note: these are only partial config files!)
>
>
> so lets say right now you have something like this:
>
> source s_UDP { udp(); };
>
> filter f_firewall { match ("iptables") or match ("PIX"); };
>
>
> destination d_loghost { udp(192.168.1.1 port(514)); };
>
> log { source (s_UDP); filter (f_firewall); destination (d_loghost); };
>
>
>
>
> so now, anything coming in on UDP port 514, and contains either iptables,
> or PIX will be forwarded on to another server (192.168.1.1).
>
> but if I want to bring in logs from last week that I have in a file
> /home/operator/old_logs.txt, I would adjust hte syslog-ng.conf to look
> like this: source s_UDP { udp(); }; source s_pipe { pipe
> ("/var/syslog_ng_pipe"); };
>
>
> filter f_firewall { match ("iptables") or match ("PIX"); };
>
>
> destination d_loghost { udp(192.168.1.1 port(514)); };
>
> log { source (s_UDP); source (s_pipe); filter (f_firewall); destination
> (d_loghost);
> };
>
>
> I would then run the following comands (as the root user):
> mkfifo /var/syslog_ng_pipe /etc/init.d/syslog-ng restart
>
>
> cat /home/operator/old_logs.txt > /var/syslog_ng_pipe
>
>
> if you are concerned about uptime on your syslog-ng process, you could
> copy the config file to a new file, then fire up a new syslog-ng process
> to handle the data from the pipe (and not from the network). buut! you
> gotta make sure that your destination is OK with having two incoming data
> streams.
>
> cheers, Mike
>
>
>
> On Wed, 5 Nov 2008, Daniel L. Spells Sr. wrote:
>
>
>> Mike,
>>
>>
>> Thanks. If you wouldn't mind sending a config example it would be much
>> appreciated.
>>
>> Daniel
>>
>>
>> On Wed, November 5, 2008 14:51, Mike wrote:
>>
>>> Heya,
>>>
>>>
>>>
>>> when ever I have to replay old logs back into syslog-ng, I create a
>>> FIFO
>>> on the file system, and make syslog-ng listen to that pipe.
>>>
>>> you can then cat which ever old files you have into that pipe, and
>>> syslog-ng will handle them like they are new.
>>>
>>> just make sure that you have syslog-ng configured to use that pipe
>>> source() when sending it to your database.
>>>
>>> I can provide config example of what I just said if you want.
>>>
>>>
>>>
>>>
>>> Mike
>>>
>>>
>>>
>>> On Wed, 5 Nov 2008, Daniel L. Spells Sr. wrote:
>>>
>>>
>>>
>>>> Sirs,
>>>>
>>>>
>>>>
>>>> Is there a way to import /var/log/messages, created by syslog-ng,
>>>> into syslog-ng to be placed into a database?
>>>>
>>>> Daniel
>>>>
>>>>
>>>>
>>>> ___________________________________________________________________
>>>> ____
>>>> _______
>>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>>> Documentation:
>>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>>
>>>>
>>>>
>>>>
>>> _____________________________________________________________________
>>> ____
>>> _____
>>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>>> Documentation:
>>> http://www.balabit.com/support/documentation/?product=syslog-ng
>>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>>
>>>
>>>
>>>
>>
>>
>> _______________________________________________________________________
>> _______
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation:
>> http://www.balabit.com/support/documentation/?product=syslog-ng
>> FAQ: http://www.campin.net/syslog-ng/faq.html
>>
>>
>>
> _________________________________________________________________________
> _____
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>
>
>
More information about the syslog-ng
mailing list