I'm planning a centralized log server for 200+ Linux boxes, rsyslog on both the client and server side. Here are my requirements:
- Do not log anything locally on Linux boxes and send everything to centralized log server.
- In case the centralized log server crashes, then
How do I tell the clients to start logging locally? Or
What would be the best option in case of failed central log server?
Best Answer
The way I've set up redundant syslog servers is by using a load balancer and shared file storage. I basically have all of my endpoints and my syslog servers log to /mnt/logs which is a shared SAN storage. Both servers have that mounted and can write to it so no matter which server is up, the logs will always be in the same place. I have some additional details in my previous post which can be found here.
Sorry, I only answered part of your question in my initial post. As far as sending all logs to the central location, I just modified the rsyslog.conf and added this line.
In my example, I just want the auth and authpriv logs, you can do . if you want everything. I'd recommend keeping the local logging as well just in case. No reason to modify everything else when the system is made to keep logs for ~1 week depending on how it's configured. As far as Windows goes, I use nxlog as an agent and send all logs via it. You can also use Snare as it's a little simpler to setup if you are not used to nxlog.