[syslog-ng] Best way to pipe "application" logs to central syslog-ng server.

Delon Lee Di Lun lee.delon2005 at gmail.com
Wed May 9 12:11:41 UTC 2018


Hi,

Thank you spending the time with the sample config.
It looks like what I want!

However, Would it be performance "greedy"?

I read about the new BSD syslog protocol and IETF syslog protocol, doing
comparison on the cost-benifit analysis on "upgrading" to using the
protocol.

I saw that the new IETF syslog protocol cater for a "APP-NAME" variable.
Logically speaking, would I able to read in the logs, specify the
"APP-NAME", on the server site, filter out this "APP-NAME"?

I have not had the time to really sit down and experiment and look though
all the modules options and switches. I want to gather more information
before i sit down and start the "trial and error" process.

Yours Sincerely,
Delon Lee

On Wed, 9 May 2018 at 18:48 Gergely Nagy <algernon at balabit.com> wrote:

> >>>>> "Delon" == Delon Lee Di Lun <lee.delon2005 at gmail.com> writes:
>
>     Delon> Possible to wipe up a sample config?
>     Delon> Might clear things up?
>
> This is a slightly different solution, but should work nevertheless:
>
> Client:
>
> @version: 3.15
>
> source s_apache_logs {
>  wildcard-file(
>    base-dir("/var/log/apache")
>    filename-pattern("www.*")
>    flags(no-parse)
>  );
> };
>
> destination d_central {
>   network("1.2.3.4" template("$(basename ${FILE_NAME}),${MSG}\n"));
> };
>
> log { source(s_apache_logs); destination(d_central); };
>
> Server:
>
> @version: 3.15
>
> source s_net {
>   network("1.2.3.4" flags(no-parse));
> };
>
> parser p_apache {
>   csv-parser(
>     columns("apache.FILE_NAME", "apache.MESSAGE");
>     flags(greedy);
>   );
> };
>
> destination d_central_apache {
>   file("/var/log/apache/${apache.FILE_NAME}"
>        template("${apache.MESSAGE}\n"));
> };
>
> log { source(s_net); parser(p_apache); destination(d_central_apache); };
>
> ------------ * --------------
>
> The idea here is that on the client, we read the apache logs as-is, and
> forward them with the filename prepended. On the server side, we split
> the message into filename and message, and use the first part to
> determine which file to save the message to. Then we write the rest of
> the line to that file.
>
> This way you'll end up with the same contents on both sides, in files
> that have the same name (but perhaps different path, that part is up to
> you).
>
> Hope this helps.
>
> --
> |8]
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20180509/6090924f/attachment.html>


More information about the syslog-ng mailing list