[syslog-ng] Problem with Squid logs

[Sandor Geller]

Hello,

On Wed, Apr 13, 2011 at 2:59 PM, Matias Banchoff
<matiasb at cespi.unlp.edu.ar> wrote:
> Hello,
>   I have a problem with remote logging for Squid logs. Our setup is the
> following:
>
> -  syslog-ng server: syslog-ng 3.1.3. It is a dedicated server for
> logging. From now on, the server.
> -  syslog-ng in Squid: syslog-ng 2.0.9.  From now on, the client.

Very old version, but should still work.

> The Squid process writes three log files: access.log, store.log and
> cache.log. I have configured the client syslog-ng to send those files to
> the log server.
>
> The problem is that the content of those files are sent only when
> syslog-ng starts on the client side. So:
> 1) The syslog-ng client writes all the information to the local files
> (access, cache and store). So, locally, it works.

These files are actually written by squid not by syslog-ng, right?
syslog-ng should just read this files.

> 2) The information is sent, but only when the client syslog-ng process
> restarts. So it is not a networking problem.

I guess you aren't using the follow_freq() option for the incoming
files so when syslog-ng reaches EOF it will no longer try to read it.
the file offset gets stored so after restarting syslog-ng it will
continue reading from where it left before.

> 3) And, I've left the default config for all the other log stuff (like
> messages, syslog, etc.). That information is also sent to the log
> server. And, in this case, the information is sent constantly. I mean, I
> don't have to restart the syslog-ng client to make the Squid machine
> send the "messages", "syslog", "mail" and other logs.

Other things work because syslog-ng keeps reading standard sources
like /dev/log. for files you need follow_freq() which is enabled only
in 3.x versions by default.

Regards,

Sandor