syslog-ng for remote logging

Printable View

02-06-2009
karthur

syslog-ng for remote logging

Afternoon all, trying to get this working, but no experience with it. Basically I have a few webservers I wish to send all the http logs to one server, then do some reporting on that one box.

These box's are all Fedora 5. syslog-ng is running on both the server and the client. Note the following ps;
Server:
20593 ? Ss 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid
Client:
root 1607 0.0 0.0 6216 904 ? Ss 2008 0:47 syslogd -m 0
root 3937 0.0 0.0 7368 600 ? Ss 14:48 0:00 /sbin/syslog-ng -p /var/run/syslogd.pid

I am not sure why the client seem to have 2 threds, but that takes care of the above. The config files look like this;

server:
options {
sync (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
#udp(ip(0.0.0.0) port(514));
};

## This will log local http messages to defined file

destination send_http_logs { file("/var/log/web.log"); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

client:

options {
sync (0);
time_reopen (10);

log_fifo_size (1000);
long_hostnames(on);
use_dns(yes);
dns_cache(yes);
use_fqdn(no);
create_dirs (yes);
keep_hostname (yes);
perm(0640);
dir_perm(0750);
};

source s_sys {
file ("/proc/kmsg" log_prefix("kernel: "));
unix-stream ("/dev/log");
internal();
};
destination send_http_logs { tcp("192.168.2.54" port(514)); };

filter send_http_logs {
program("httpd.*");
};

log {
source(s_sys);
filter(send_http_logs);
destination(send_http_logs);
};

Once things are running the client is still reporting to the local file and the server file web.log is empty (file permissions are fine). I see no way of debugging, or troubleshooting to see what or more why the logs are still writing local.

Thanks
02-09-2009
cheapscotchron

Your server is listening on udp, so configure your client to send on udp.
Assuming your syslog server is located at 192.168.2.54...

destination send_http_logs { udp("192.168.2.54" port(514)); };

Dont forget to bounce (restart) the client service after changing the config
02-09-2009
karthur

Thanks, tried and no good. Did notice at the top of the server the following;

source s_remote { tcp(); };
## This will create seprate file for each client on central log server and log $
destination d_clients { file("/var/log/web.$HOST.log"); };
log { source(s_remote); destination(d_clients); };

so I changed that to udp and restarted so still no good. They are still being written to the client. And I haven't found any way to debug, or watch what's really going on.
02-09-2009
cheapscotchron

Is it perhaps a firewall issue?

check your firewall on both server and client to ensure port 514 is not being blocked.

Also, are both client and server on same LAN?
Proxy?
02-09-2009
karthur

nope, no firewall. Yes, they are both on the same network. I also noticed syslog was still running, so that has been stopped and set not to start.

The odd thing is even on the webserver, I stopped syslog and syslog-ng yet the weblogs are still being written local to the box.