[syslog-ng] apache logs over syslog-ng sychronized
Balazs Scheidler
bazsi at balabit.hu
Tue Sep 2 16:53:43 CEST 2008
On Tue, 2008-09-02 at 17:39 +0300, Eli Shemer wrote:
> Hey there,
>
>
>
> I would like to know if this configuration sounds viable to you.
>
> Right now it's not really operational performance wise.
>
>
>
> What I'm basically trying to do is to have my syslog server completely
> synchronized to the apache access logs of my other servers.
>
>
>
> On a client I have this configured:
>
> source s_apachelogs
> { file("/etc/apache2/logs/test/2008-09-02-test.log"); };
>
> destination df_apachelogs { tcp("192.168.200.4" port(1999)); };
>
> log { source(s_apachelogs); destination(df_apachelogs); };
>
>
>
> and on the server:
>
> source s_apachelogs { tcp(ip(192.168.200.4) port(1999)); };
>
> destination df_apachelogs { file("/var/log/apachelogs.log"); };
>
> log {
>
> source(s_apachelogs);
>
> destination(df_apachelogs);
>
> };
>
<
>
> This is just a sample case. Later on I would like to have my server
> keep an /var/log/apachelogs/ directory completely identical to the
> logs of the other servers.
>
> For some reason I don’t see any traffic passed over the line unless I
> run a /etc/init.d/syslog-ng reload which is really bizzar.
>
Well, I don't know which syslog-ng version you are running, latest 2.0.x
or 2.1.x should be ok, but you should specify follow-freq(XX) in your
config to tell syslog-ng that you want to follow the specified file and
not read it from the beginning.
Performance wise you will probably need to tune log-fetch-limit() and
maybe log-fifo-size(), but see the recent thread titled "lost messages
with follow_freq()?" on this mailing list.
--
Bazsi
More information about the syslog-ng
mailing list