[syslog-ng] apache logs over syslog-ng sychronized

Eli Shemer elish at consist.co.il
Wed Sep 3 16:31:23 CEST 2008 

Follow-freq(1) 
log-fifo-size(10) 
log-fetch-limit(10) 

does it sound like a viable setup?
Basically I do not need to be completely synchronized to the other servers to the second but if I schedule syslog-ng to only transfer the data every minute or so then I'm really bound to have data loss cause I don’t know what to set the buffer variables to.
Is there some norm in this situation ?

I'm using syslog-ng 2.0.0-1etch1 on debian 4
It seems to work so far.

Thanks.
 


-----הודעה מקורית-----
מאת: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] בשם Balazs Scheidler
נשלח: ג 02 ספטמבר 2008 17:54
אל: Syslog-ng users' and developers' mailing list
נושא: Re: [syslog-ng] apache logs over syslog-ng sychronized

On Tue, 2008-09-02 at 17:39 +0300, Eli Shemer wrote:
> Hey there,
> 
>  
> 
> I would like to know if this configuration sounds viable to you. 
> 
> Right now it's not really operational performance wise.
> 
>  
> 
> What I'm basically trying to do is to have my syslog server completely
> synchronized to the apache access logs of my other servers.
> 
>  
> 
> On a client I have this configured:
> 
> source s_apachelogs
> { file("/etc/apache2/logs/test/2008-09-02-test.log"); };
> 
> destination df_apachelogs { tcp("192.168.200.4" port(1999)); };
> 
> log { source(s_apachelogs); destination(df_apachelogs); };
> 
>  
> 
> and on the server:
> 
> source s_apachelogs { tcp(ip(192.168.200.4) port(1999)); };
> 
> destination df_apachelogs { file("/var/log/apachelogs.log"); };
> 
> log {
> 
>         source(s_apachelogs);
> 
>         destination(df_apachelogs);
> 
> };
> 
 < 
> 
> This is just a sample case. Later on I would like to have my server
> keep an /var/log/apachelogs/ directory completely identical to the
> logs of the other servers.
> 
> For some reason I don’t see any traffic passed over the line unless I
> run a /etc/init.d/syslog-ng reload which is really bizzar.
> 

Well, I don't know which syslog-ng version you are running, latest 2.0.x
or 2.1.x should be ok, but you should specify follow-freq(XX) in your
config to tell syslog-ng that you want to follow the specified file and
not read it from the beginning.

Performance wise you will probably need to tune log-fetch-limit() and
maybe log-fifo-size(), but see the recent thread  titled "lost messages
with follow_freq()?" on this mailing list.

-- 
Bazsi

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list