How to configure SLES 11 to cache and send log events to Sentinel via rsyslogd
If you are using syslog or syslog-ng to send log events to Sentinel, you might have noticed that if there are communication problems with the collector manager, your events might be lost.
You can get around this limitation by installing rsyslogd, which is included in your SLES11 installation media.
Rsyslogd can be configured to replace syslog-ng (the default logger in sles11) in a few steps:
- stop syslog-ng
- Install the rsyslogd package
#yast -i rsyslog
- Modify the following parameters in sysconfig (either with yast or by editing /etc/sysconfig/syslog)
- run SuSEconfig
Now that we have installed the new logger, we can modify the file /etc/rsyslog.d/remote.conf to tell rsyslogd to cache the log events and to send them to our collector manager.
Here is a pretty self-explanatory sample configuration:
# Remote Logging (we use TCP for reliable delivery) # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. $WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueFileName accesslog # unique name prefix for spool files $ActionQueueMaxFileSize 10m $ActionQueueMaxDiskSpace 5gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeInterval 30 $ActionResumeRetryCount -1 # infinite retries if host is down $ActionQueueHighWaterMark 2 #8000 $ActionQueueLowWaterMark 1 #2000 #*.* @remotehost:port (udp) @@remote-host:port (tcp) *.* @@yourcollectormanagerhost:1468 #send all log events to the collector manager via tcp
- Once you have configured rsyslogd, you can start the service.
by installing and configuring rsyslogd, some of the logs in /var/log/ will not be updated (es. /var/log/NetworkManager) This is because the default log definitions of syslog-ng are not migrated to rsyslogd, and (if needed) they will need to be reconfigured