Syslog-ng on Solaris 10 (how to install and configure)

solaris-10syslog-ng

If anyone has got syslog-ng working on Solaris 10, do you have a set of instructions I could follow to get it installed and working?

I tried following this http://opensystems.wordpress.com/2006/06/01/replacing-syslog-on-solaris-10-with-syslog-ng/ but got stuck with the syslog-ng service stuck restarting with no indication of why.

Thanks for any help.
NickB

Best Answer

I do not like the instructions on the opensystems blog you pointed to, as it replaces the default service in SMF. This is bad as it is likely that a future system patch will revert your changes. Here's my take on it, from a default system state:

Disable the system syslog:
svcadm disable system-log
Download and install (using pkgadd) syslog-ng from sunfreeware.com
http:// sunfreeware.com/programlistintel10.html#syslogng
Do not forget to also download and install its dependencies.
Create a configuration file /usr/local/etc/syslog-ng.conf (the one offered on the Open Systems blog is a good start).
Setup the SMF voodoo:
- Create /var/svc/manifest/site/syslog-ng.xml from http://pastebin.com/QrGC3u6p (I could not paste the file here as the formatting was mangled)
- Load the new service: svccfg import /var/svc/manifest/site/syslog-ng.xml
- Enable the service: svcadm enable syslog-ng

Now, your system is not vanilla if you followed the procedure on Open Systems blog. Here's what you need to do to revert:

Disable the modified SMF service:
- svcadm disable system-log-ng
- svccfg delete system-log-ng
Remove the syslopg-ng package
- pkgrm NCsysng
Re-import the original system log service:
- svccfg import /var/svc/manifest/system/system-log.xml
- svcadm enable system-log

Hope this helps.

Related Solutions

Nginx – syslog-ng and nginx logs to thesql

I can help you to write nginx access log to postgres. Lets go Nginx log format

log_format logtodb '$time_iso8601;$http_host;$remote_addr;$http_x_forwarded_for;$request_method;$request;$status;$body_bytes_sent;$http_referer;$request_time;$upstream_http_x_cache;$uri;$upstream_addr;$host;$upstream_response_length;$upstream_status;$server_name;$newurl;$upstream_response_time';

access_log /var/log/nginx/access_logtodb.log logtodb; Let's go.

Configure syslog-ng

nano /etc/syslog-ng/syslog.ng

#########################################################################
###### tailing nginx accesslog and sending to syslog-ng##################
source nginx_acceess_log { file( "/var/log/nginx/access_logtodb.log"
                    follow_freq(1)    
                    flags(no-parse)             
     );
};




parser p_nginx_acceess_log {
    csv-parser(columns("NGINX_TIME", "NGINX_http_host", "NGINX_remote_addr", "NGINX_http_x_forwarded_for", "NGINX_request", "NGINX_request_method","NGINX_status", "NGINX_body_bytes_sent", "NGINX_http_referer", "NGINX_request_time", "NGINX_upstream_http_x_cache", "NGINX_uri", "NGINX_upstream_addr", "NGINX_host", "NGINX_upstream_response_length", "NGINX_upstream_status", "NGINX_server_name", "NGINX_newurl", "NGINX_upstream_response_time")
         flags(escape-double-char,strip-whitespace)
         delimiters(";")
         quote-pairs('""[]')
         );
};



destination d_postgres_nginx_acceess_log{
  sql(type(pgsql)
  host("10.12.1.1")  port("5432") username("postgres") password("A1s2gdfgdfgdgdfgd")
  database("nginx_logs")
  table("access_log_nginx_223")
  columns("NGINX_TIME text", "NGINX_http_host text", "NGINX_remote_addr text", "NGINX_http_x_forwarded_for text", "NGINX_request_method text", "NGINX_request text", "NGINX_status varchar(3)",  "NGINX_body_bytes_sent text",  "NGINX_http_referer text", "NGINX_request_time text", "NGINX_upstream_http_x_cache text", "NGINX_uri text", "NGINX_upstream_addr text",  "NGINX_host  text", "NGINX_upstream_response_length text", "NGINX_upstream_status varchar(3)", "NGINX_server_name text", "NGINX_newurl text", "NGINX_upstream_response_time text")
  values("${NGINX_TIME}", "${NGINX_http_host}", "${NGINX_remote_addr}", "${NGINX_http_x_forwarded_for}", "${NGINX_request_method}", "${NGINX_request}", "${NGINX_status}", "${NGINX_body_bytes_sent}", "${NGINX_http_referer}", "${NGINX_request_time}", "${NGINX_upstream_http_x_cache}", "${NGINX_uri}", "${NGINX_upstream_addr}", "${NGINX_host }", "${NGINX_upstream_response_length}", "${NGINX_upstream_status}", "${NGINX_server_name}", "${NGINX_newurl}", "${NGINX_upstream_response_time}")
  indexes("NGINX_request", "NGINX_uri", "NGINX_server_name"));

};

log {source(nginx_acceess_log);  parser(p_nginx_acceess_log); destination(d_postgres_nginx_acceess_log); };

Install packets for send to db

apt-get install libdbd-pgsql -y

Configure db-postgres Create database nginx_logs. Grant acceess in pg_hba.conf

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Okay, I found a way. It turns out the $ActionForwardDefaultTemplate by default is set to :

$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat

Per this rsyslog documentation, the RSYSLOG_ForwardFormat is specifically used to maintain interoperability between different syslogs. No shocker then that if you modify this Forward template as I described originally, some functionality for other syslogs break:

$template MyTemplate, "%timestamp% <FQDN> %syslogtag%%msg%"
$ActionForwardDefaultTemplate MyTemplate

The workaround I found was to dig up the back-end template that RSYSLOG_ForwardFormat uses and mimic it. After digging through the source I eventually found that RSYSLOG_ForwardFormat is actually this:

"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"

So, if I create a custom template with almost the same content, but substitute my FQDN in place of the %HOSTNAME% macro, syslog-ng facility separation works properly and the system logs with FQDN:

$template MyForwardTemplate, "<%PRI%>%TIMESTAMP% <fqdn> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
$ActionForwardDefaultTemplate MyForwardTemplate

Best Answer

Related Solutions

Nginx – syslog-ng and nginx logs to thesql

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Related Topic