[syslog-ng] change rsyslog for syslog-ng

[Gergely Nagy]

Josu Lazkano <josu.lazkano at barcelonamedia.org> writes:

> I have some questions:
>
> 1.       Must I uninstall rsyslog before install syslog-ng?

Uninstall, no. But the two should not run side by side (port conflicts,
etc - you can run both, technically, but it's not really useful, imo).

> 2.       How can I configure the client side to send my logs to the server and to save on the local /var/log/?

If you want to send pre-existing files, then the easiest route (since
you have a small number of files) is to add a source for each, and send
them over to the remote server (which also has a source for each).

Though, this ain't pretty.

You could collapse this into a single pair, but that involves rewriting
the messages a bit, so that the server will know where to place them.

However, if you want to accept logs on client-side, and split them to
files on the server side, that's a lot easier!

You just have something like this on the clients:

source s_local { internal(); system(); };
destination d_net { tcp(...); };
log ( source(s_local); destination(d_net); };

And on the server, you use the source you wrote above, and filter the
messages as you would do on the client side. However, when you write the
destinations, instead of writing something like this:

destination d_auth {
  file("/var/log/auth.log");
};

You write something like this:

destination d_auth {
  file("/var/log/extern/${HOST}/auth.log");
};

> 3.       Is there any client limit on syslog-ng?

Nope, here isn't. Apart from OS limits, that is. Whatever those may be -
but chances are, you're not gonna hit them anytime soon. ;)

Hope these answers make sense!

-- 
|8]