[syslog-ng] Syslog-NG.conf to Fork to Two Log Aggregators

Sandor Geller sandor.geller at ericsson.com
Wed Oct 1 11:17:23 CEST 2014 

Hi,

On 09/30/2014 08:34 PM, wiskbroom at hotmail.com wrote:
> Hello;
>
> I have syslog clients that I would like to configure to send log-data to
> a middle-man/intermediary syslog-NG server.  Once received on the
> intermediary, I want to immediately fork that data onto a different
> log-server, not syslog-NG; satisfying a requirement to feed two systems.

Well, with this design there is a SPoF (single point of failure), the 
syslog-ng relay. If it fails for some reason you'll loose logs.

If the second log system scales for multiple log sources just like 
syslog-ng then you should configure the syslog-ng clients to send logs 
to both systems. Of course with such a design network load could 
duplicate unless you're using UDP multicast - but that involves another 
factor, log transport reliability which isn't the best with UDP to say 
at least. So you've got to consider all possible scenarios and then make 
a choice which is the best for your needs.

It is easy to set up either the syslog-ng clients or syslog-ng 
server/relay to send logs to multiple destinations.

> The reason for the fork is because the non-syslog-NG-server is running a
> proprietary logging system, and it must, at least for now, be capable of
> seeing *most* of my logs.  It, the non-syslog-NG-server, is incapable of
> retransmitting to my syslog-NG server, nor would I trust it to do so.
>
> My questions to the list are,
> 1.   Has anyone successfully done something similar?

yes, but see above for the caveats

> 2.   Any recommendations/gotchas I should be aware of?

see above

> 3.   Can I also configure syslog-NG to also resend Splunk data?  Or do I
> have to run a Splunk Univ Forwarder configured similarly to my
> intermediary syslog-NG server to achieve that?   (Yes, I know, OT
> question, sorry...)

Without understanding how splunk works internally I can't really help 
here, my understanding is that it is a log store / search engine so 
doesn't forward data to external systems. If it has a forwarder then it 
can feed other systems but in this case splunk would be the SPoF.

hth,

Sandor

More information about the syslog-ng mailing list