[syslog-ng] How to get list of IPs

Balazs Scheidler bazsi77 at gmail.com
Sat May 13 06:05:05 UTC 2017


Syslog-ng has a stats mechanism. If you sez stats-level(3), syslog-ng
starts tracking host and program counters, and a timestamp for the last
message received.

These are lost when syslog-ng is restarted, but you can collect this every
few minutes.

You can query these counters using syslog-ng-ctl stats.

The stats subsystem is being worked on to extend it, there were numerous
pull requests recently.

Cheers
Bazsi

On May 13, 2017 4:13 AM, "Sathish Sundaravel" <sathish.sundaravel at gmail.com>
wrote:

> Hi Nik,
>
> Thank you . Currently I don't have such database option enabled. I have
> gathered host information from log file at this moment. Enabling log using
> database and host name format sounds good idea.
>
> Any other thoughts ?
>
> Regards
> Sathish
>
> On Sat, 13 May 2017 at 1:55 AM, Nik Ambrosch <nik at ambrosch.com> wrote:
>
>> someone correct me if i’m wrong, but i don’t think there’s a good way to
>> get this information directly from the syslog-ng daemon, especially if it’s
>> restarted.  a more reliable way is to pull the data off disk.
>>
>> depending on your log volume putting them into a database will allow you
>> to easily do this with a single query.  i write about 20 million log lines
>> into a mysql database every day so this should cover most use cases.  a
>> query would look like one of these two (depends if you want a line count or
>> not):
>>
>>   mysql> select distinct host from syslog_table_20170511;
>>   mysql> select distinct host,count(*) as count from
>> syslog_table_20170511 group by host order by count desc;
>>
>> pulling from log files on disk is obviously takes longer to run but can
>> be done with a one-liner like this:
>>
>>   $ cat file.log | awk '{print $1}' | sort | uniq -c | sort -nr
>>
>> another option is to write one log file per host and just run an ls to
>> see which hosts have sent logs for the day, for example:
>>
>> /loghost/YYYYMMDD/hostname.prv.log
>>
>> the dynamic path can be setup using syslog-ng.
>>
>>
>> > On May 12, 2017, at 1:11 PM, Sathish Sundaravel <
>> sathish.sundaravel at gmail.com> wrote:
>> >
>> > Hi All
>> >
>> > I have syslog Ng server running on Solaris platform and configured to
>> receive or accept events from all unix servers in one single log file.
>> >
>> > If I want to collect list of servers reporting to the log server , I
>> have to manually extract list from a single log file which is too much time
>> consuming . What would the best way ?
>> >
>> > Regards
>> > Sathish
>> > ____________________________________________________________
>> __________________
>> > Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> > Documentation: http://www.balabit.com/support/documentation/?
>> product=syslog-ng
>> > FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>> >
>>
>> ____________________________________________________________
>> __________________
>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
>> Documentation: http://www.balabit.com/support/documentation/?
>> product=syslog-ng
>> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>>
>>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170513/54d76e9d/attachment.html>


More information about the syslog-ng mailing list