[syslog-ng] Configuration for a centralized syslog-ng server

Balazs Scheidler bazsi77 at gmail.com
Fri Apr 26 11:29:39 CEST 2013 

How do you know messages are dropped?
On Apr 22, 2013 4:24 PM, "Davide D'Amico" <davide.damico at gmail.com> wrote:

> Hi, I'm using syslog-ng OSE 3.3.8 on a FreeBSD 9.1 amd64 box on a
> centralized server (DELL R610, 32GB ram, ZFS with compressed filesystem)
> and 150 servers with syslog-ng that logs locally and send remotely their
> logs stream to the centralized syslog-ng.
> Sometime I see packets dropped, so I think I'm missing something on its
> configuration.
>
> That's what I'm using:
> - generic server:
> @version: 3.3
>
> options {
>   perm(0644);
>   dir_perm(0750);
>   create_dirs(yes);
>   group (logs);
>   dir_group (logs);
>   log_fifo_size(10000);
>   use_fqdn(yes);
>   keep_hostname(yes);
>   chain_hostnames(no);
>   stats_freq(3600);
> };
>
> source s_local {
>   unix-dgram("/var/run/log");
>   unix-dgram("/var/run/logpriv" perm(0600));
>   internal();
>   file("/dev/klog");
> };
>
> destination d_local {
>   file("/var/log/syslog-ng/$YEAR/$MONTH/$DAY/$FACILITY.log");
> };
>
> destination d_remote {
>   tcp("10.0.0.9" port(514));
> };
>
> log {
>   source(s_local);
>   destination(d_local);
>   destination(d_remote);
> };
>
> - centralized log server:
> @version: 3.3
>
> options {
>   perm(0644);
>   dir_perm(0755);
>   create_dirs(yes);
>   group (logs);
>   dir_group (logs);
>   use_fqdn(yes);
>   keep_hostname(yes);
>   chain_hostnames(no);
>   stats_freq(120);
>   log_fifo_size(10000);
>   frac_digits(3);
> };
>
> source s_local {
>   unix-dgram("/var/run/log" max_connections(20));
>   unix-dgram("/var/run/logpriv" perm(0600) max_connections(20));
>   internal();
>   file("/dev/klog");
> };
>
> filter f_localhost {
>   netmask( "127.0.0.1" );
> };
>
> filter f_network6 {
>   netmask( "172.16.6.0/255.255.255.0" );
> };
>
> destination d_local {
>   file("/tank/syslog/custom/localhost/$YEAR/$MONTH/$DAY/$FACILITY.log");
> };
>
> source s_network {
>         udp(ip("10.0.0.9") so_rcvbuf(16777216));
>         tcp(ip("10.0.0.9") port(514) log_fetch_limit(100)
> max_connections(200) log_iw_size(20000) so_rcvbuf(16777216));
> };
>
> filter f_www_host {
>   host("www1.domain.lan") or host("www2.domain.lan") or
> host("www3.domain.lan");
> };
>
> [...]
>
> filter f_www_fac {
>   facility(local6);
> };
>
> [...]
>
> destination d_www {
>   file("/tank/syslog-ng/custom/www/$YEAR/$MONTH/$DAY/$FACILITY.log");
> };
>
> [...]
>
> log {
>   source(s_network);
>   filter(f_www_host);
>   filter(f_www_fac);
>   destination(d_www);
> };
>
>
> Thanks,
> --
> d.
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20130426/57815496/attachment.htm

More information about the syslog-ng mailing list