syslogd and syslog-ng

[npereira]

my question could be kind of wierd but, is syslogd and syslog-ng suppose to work together or must it be either/or?

also related, i find that syslogd is using way too much cpu time (1/4). Is there a way to reduce this?

The only other process running on this system is Kamailio SIP load balancer.

System is a Centos 5.6 32bit dual Xeon Quadcore 3Ghz with 4G Ram

[Mudgen]

I'd say either/or. The syslog system calls used by programs to send logs presume one system logging mechanism. I've never tried starting two, so I can't say for certain.

Do you have auditing turned on? That's the only circumstance where I've seen syslog burning up a major amount of cpu time.

[npereira]

no i do not have auditing turn on....

I disabled the syslogd service while keeping syslig-ng on, and the CPU rate went down dramatically...

[Mudgen]

no i do not have auditing turn on....

I disabled the syslogd service while keeping syslig-ng on, and the CPU rate went down dramatically...

So you did have them both running at once? I'd expect that to cause a lot of contention and thrashing. I'm surprised that the dependencies are such that you can have both of them installed at once. I've noticed that if you install both (sysklogd and syslog-ng) and go to remove, whichever one you remove first goes without a hitch, and the second one spews page after page of dependencies and would essentially result in uninstalling the system.

So, I'd remove whichever one I wasn't using to avoid getting assaulted by it in some dark alley.

[npereira]

so basically, if im running syslog-ng I dont need syslogd, correct?
syslog-ng will still log messages to the standard /var/log folders?

[Irithori]

yes.
syslog-ng will write whereever you configure it to do so. But by default yes.

Another option is rsyslog, which has very powerful features like templates and RELP

[Mudgen]

Centos 5 seems to default to sysklogd. Of the three major options, I prefer rsylog, but one thing syslog-ng has that it doesn't is a simple way to feed syslog the logs from applications that write theirs directly rather than sending them to syslog. If you want to pipe Apache logs to syslog from within Apache, you may have to put pipe designations in multiple locations, using multiple syntaxes, to get all of the clear and ssl access and error logs. If you use syslog-ng, you can do it in syslog-ng.conf with syntax that works essentially like a "tail -f <filename>|logger". syslog-ng generally has extremely powerful and flexible configureability with respect to unconventional sources and destinations, like pipes, sockets, device files, etc.

[Irithori]

rsyslog also can do a "tail -f", via its imfile module.

Basically I have something like this:
( I replaced my actual appname with <APPNAME> )

Code:

$template Forward__SLT_<APPNAME>_syslog,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% <APPNAME>,all,php,error,:%SYSLOGTAG%%msg:::sp-if-no-1st-sp%%msg%"

$InputFileName            /var/log/apache/error.log
$InputFileTag             <APPNAME>,all,apache,error,:
$InputFileStateFile	  rsyslog-stat__apache_error
$InputFileSeverity        err
$InputFileFacility        local7
$InputRunFileMonitor

And yeah.
I badly abused the syslogtag to have fields
So that I can later on use them for finer filtering on the central loghost.

[Mudgen]

Blessings upon thee, Irithori! I had looked for that and not been able to find it. It's not as simple as the way syslog-ng does it, but it would have saved me hacking a ton of Apache .conf files recently in an audit remediation. And when the Apache on a system is part of, say, an Oracle bundle, it belongs to somebody else and a whole 'nother level of change control comes into play.