Find the answer to your Linux question:
Results 1 to 5 of 5
Afternoon all, trying to get this working, but no experience with it. Basically I have a few webservers I wish to send all the http logs to one server, then ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2006
    Posts
    13

    syslog-ng for remote logging


    Afternoon all, trying to get this working, but no experience with it. Basically I have a few webservers I wish to send all the http logs to one server, then do some reporting on that one box.

    These box's are all Fedora 5. syslog-ng is running on both the server and the client. Note the following ps;
    Server:
    20593 ? Ss 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid
    Client:
    root 1607 0.0 0.0 6216 904 ? Ss 2008 0:47 syslogd -m 0
    root 3937 0.0 0.0 7368 600 ? Ss 14:48 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

    I am not sure why the client seem to have 2 threds, but that takes care of the above. The config files look like this;

    server:
    options {
    sync (0);
    time_reopen (10);
    log_fifo_size (1000);
    long_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
    };

    source s_sys {
    file ("/proc/kmsg" log_prefix("kernel: "));
    unix-stream ("/dev/log");
    internal();
    #udp(ip(0.0.0.0) port(514));
    };

    ## This will log local http messages to defined file

    destination send_http_logs { file("/var/log/web.log"); };

    filter send_http_logs {
    program("httpd.*");
    };

    log {
    source(s_sys);
    filter(send_http_logs);
    destination(send_http_logs);
    };

    client:

    options {
    sync (0);
    time_reopen (10);

    log_fifo_size (1000);
    long_hostnames(on);
    use_dns(yes);
    dns_cache(yes);
    use_fqdn(no);
    create_dirs (yes);
    keep_hostname (yes);
    perm(0640);
    dir_perm(0750);
    };

    source s_sys {
    file ("/proc/kmsg" log_prefix("kernel: "));
    unix-stream ("/dev/log");
    internal();
    };
    destination send_http_logs { tcp("192.168.2.54" port(514)); };

    filter send_http_logs {
    program("httpd.*");
    };

    log {
    source(s_sys);
    filter(send_http_logs);
    destination(send_http_logs);
    };

    Once things are running the client is still reporting to the local file and the server file web.log is empty (file permissions are fine). I see no way of debugging, or troubleshooting to see what or more why the logs are still writing local.

    Thanks

  2. #2
    Just Joined! cheapscotchron's Avatar
    Join Date
    Dec 2008
    Location
    swamps of jersey
    Posts
    68
    Your server is listening on udp, so configure your client to send on udp.
    Assuming your syslog server is located at 192.168.2.54...

    destination send_http_logs { udp("192.168.2.54" port(514)); };

    Dont forget to bounce (restart) the client service after changing the config

  3. #3
    Just Joined!
    Join Date
    Sep 2006
    Posts
    13
    Thanks, tried and no good. Did notice at the top of the server the following;

    source s_remote { tcp(); };
    ## This will create seprate file for each client on central log server and log $
    destination d_clients { file("/var/log/web.$HOST.log"); };
    log { source(s_remote); destination(d_clients); };

    so I changed that to udp and restarted so still no good. They are still being written to the client. And I haven't found any way to debug, or watch what's really going on.

  4. #4
    Just Joined! cheapscotchron's Avatar
    Join Date
    Dec 2008
    Location
    swamps of jersey
    Posts
    68
    Is it perhaps a firewall issue?

    check your firewall on both server and client to ensure port 514 is not being blocked.

    Also, are both client and server on same LAN?
    Proxy?

  5. #5
    Just Joined!
    Join Date
    Sep 2006
    Posts
    13
    nope, no firewall. Yes, they are both on the same network. I also noticed syslog was still running, so that has been stopped and set not to start.

    The odd thing is even on the webserver, I stopped syslog and syslog-ng yet the weblogs are still being written local to the box.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •