[syslog-ng] Archive module ?

Evan Rempel erempel at uvic.ca
Thu Sep 8 23:13:49 CEST 2016

If you write the syslog data to a file with all of the data, then it can be ingested again.

We save the data to the files like

2016-09-08T00:00:01-07:00 host.name.here mail.info sm-mta[9521]: u887019I009521: milter=mimedefang, action=rcpt, continue

and then we have a syslog-ng pattern database that will turn this back into an "on the wiire" format that can be sent to any syslog port.

Alternatively, you could save it in the file as the original format, and then it can just be sent back to syslog when you need to. Human readablility is not quite as good, but if you have the data in splunk or whatever, then humans don't need to read the raw files.


On 09/08/2016 01:32 PM, Scot Needy wrote:
> Hi All,
> Is there a better way to archive my syslog data once it’s been received and injected into elk,spunk or whatever ?
>   I see how I can log my data to flat files using date macros then compress and archive as normal data but is there a better way to write out the data in the same format it was received to facilitate re-injesting ?
> For example: My syslog data on file does not include the original syslog header data .
> Syslog is just one example.

More information about the syslog-ng mailing list