Linux – use syslog-ng to mirror all log files on a remote server without specifying every file

centoslinuxloggingrsyncsyslog-ng

Can I use syslog-ng to mirror all log files onto a remote server without specifying every file? Both are running syslog-ng OSE version 3.5.2. The file("/var/log/*") setting seems promising, but it does not appear to recurse, and reconstituting the file names on the other side of a syslog() source seems daunting.

Should I give up on this and do some sort of scripting or use rsync or something else entirely?

The source is essentially an embedded Linux computer with limited flash storage and the others is pretty hefty. They are connected to the same fast switch at 1GB. It is not OK for the embedded Linux to crash without having already sent most of its logs over, so some sort of continuous update would seem appropriate.

Best Answer

it depends.

If you have applications that log directly into files under /var/log/, then you have the following possibilities

Reconfigure the applications to log into syslog instead of files, then syslog-ng can read the incoming messages and forward them to your logserver. If your applications support logging into syslog, then this is the recommended way to go.
The commercial version of syslog-ng supports wildcard file sources (/var/log/* and the like). This feature is currently not available in syslog-ng Open Source Edition
As a workaround, you can use the confgen plugin of syslog-ng (I'm not sure it is available in version 3.5, but it surely is in 3.6 and newer). With the confgen plugin, you can run a script that generates a section into the syslog-ng configuration file: you can use it to list the files in /var/log as file sources (note that this solution will not add new files from /var/log automatically, you'll have to periodically restart syslog-ng for that).

BTW, if possible, you might want to update your syslog-ng to a newer version, 3.5 is rather old and somewhat buggy. The recent 3.9 version supports diskbuffers and other nice features.

HTH

Related Solutions

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Okay, I found a way. It turns out the $ActionForwardDefaultTemplate by default is set to :

$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat

Per this rsyslog documentation, the RSYSLOG_ForwardFormat is specifically used to maintain interoperability between different syslogs. No shocker then that if you modify this Forward template as I described originally, some functionality for other syslogs break:

$template MyTemplate, "%timestamp% <FQDN> %syslogtag%%msg%"
$ActionForwardDefaultTemplate MyTemplate

The workaround I found was to dig up the back-end template that RSYSLOG_ForwardFormat uses and mimic it. After digging through the source I eventually found that RSYSLOG_ForwardFormat is actually this:

"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"

So, if I create a custom template with almost the same content, but substitute my FQDN in place of the %HOSTNAME% macro, syslog-ng facility separation works properly and the system logs with FQDN:

$template MyForwardTemplate, "<%PRI%>%TIMESTAMP% <fqdn> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
$ActionForwardDefaultTemplate MyForwardTemplate

Does syslog-ng config file support log rotating files every 15 mins

You can divide the minute value by a number inline, which will generate separated files. For example:

destination d_half_hourly {file("/var/log/tracker/pid$PID-track-$YEAR-$MONTH-$DAY-$HOUR-$(/ $MIN 30).log");};

Because of integer division, this will put all logs from PID 1000 and date 1/23/2015 05:00 to 05:29 into

/var/log/tracker/pid1000-track-2015-01-23-05-0.log

and from 05:30 to 05:59 into

/var/log/tracker/pid1000-track-2015-01-23-05-1.log

You can also increase the frequency by changing 30 to another divisor.

Best Answer

Related Solutions

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Does syslog-ng config file support log rotating files every 15 mins

Related Topic