[syslog-ng] Configuration for a centralized syslog-ng server

Davide D'Amico davide.damico at gmail.com
Mon Apr 22 16:24:05 CEST 2013 

Hi, I'm using syslog-ng OSE 3.3.8 on a FreeBSD 9.1 amd64 box on a
centralized server (DELL R610, 32GB ram, ZFS with compressed filesystem)
and 150 servers with syslog-ng that logs locally and send remotely their
logs stream to the centralized syslog-ng.
Sometime I see packets dropped, so I think I'm missing something on its
configuration.

That's what I'm using:
- generic server:
@version: 3.3

options {
  perm(0644);
  dir_perm(0750);
  create_dirs(yes);
  group (logs);
  dir_group (logs);
  log_fifo_size(10000);
  use_fqdn(yes);
  keep_hostname(yes);
  chain_hostnames(no);
  stats_freq(3600);
};

source s_local {
  unix-dgram("/var/run/log");
  unix-dgram("/var/run/logpriv" perm(0600));
  internal();
  file("/dev/klog");
};

destination d_local {
  file("/var/log/syslog-ng/$YEAR/$MONTH/$DAY/$FACILITY.log");
};

destination d_remote {
  tcp("10.0.0.9" port(514));
};

log {
  source(s_local);
  destination(d_local);
  destination(d_remote);
};

- centralized log server:
@version: 3.3

options {
  perm(0644);
  dir_perm(0755);
  create_dirs(yes);
  group (logs);
  dir_group (logs);
  use_fqdn(yes);
  keep_hostname(yes);
  chain_hostnames(no);
  stats_freq(120);
  log_fifo_size(10000);
  frac_digits(3);
};

source s_local {
  unix-dgram("/var/run/log" max_connections(20));
  unix-dgram("/var/run/logpriv" perm(0600) max_connections(20));
  internal();
  file("/dev/klog");
};

filter f_localhost {
  netmask( "127.0.0.1" );
};

filter f_network6 {
  netmask( "172.16.6.0/255.255.255.0" );
};

destination d_local {
  file("/tank/syslog/custom/localhost/$YEAR/$MONTH/$DAY/$FACILITY.log");
};

source s_network {
        udp(ip("10.0.0.9") so_rcvbuf(16777216));
        tcp(ip("10.0.0.9") port(514) log_fetch_limit(100)
max_connections(200) log_iw_size(20000) so_rcvbuf(16777216));
};

filter f_www_host {
  host("www1.domain.lan") or host("www2.domain.lan") or
host("www3.domain.lan");
};

[...]

filter f_www_fac {
  facility(local6);
};

[...]

destination d_www {
  file("/tank/syslog-ng/custom/www/$YEAR/$MONTH/$DAY/$FACILITY.log");
};

[...]

log {
  source(s_network);
  filter(f_www_host);
  filter(f_www_fac);
  destination(d_www);
};


Thanks,
-- 
d.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130422/d36bb63c/attachment.htm

More information about the syslog-ng mailing list