If you are using syslog or syslog-ng to send log events to Sentinel, you might have noticed that if there are communication problems with the collector manager, your events might be lost.

You can get around this limitation by installing rsyslogd, which is included in your SLES11 installation media.

Rsyslogd can be configured to replace syslog-ng (the default logger in sles11) in a few steps:

  1. stop syslog-ng

    #rcsyslog stop

  2. Install the rsyslogd package

    #yast -i rsyslog

  3. Modify the following parameters in sysconfig (either with yast or by editing /etc/sysconfig/syslog)

    SYSLOG_DAEMON=”rsyslogd”
    RSYSLOGD_COMPAT_VERSION=”4″

  4. run SuSEconfig

    #SuSEconfig

    Now that we have installed the new logger, we can modify the file /etc/rsyslog.d/remote.conf to tell rsyslogd to cache the log events and to send them to our collector manager.

    Here is a pretty self-explanatory sample configuration:

    # Remote Logging (we use TCP for reliable delivery)
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName accesslog # unique name prefix for spool files
    $ActionQueueMaxFileSize 10m
    $ActionQueueMaxDiskSpace 5gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList # run asynchronously
    $ActionResumeInterval 30
    $ActionResumeRetryCount -1 # infinite retries if host is down
    $ActionQueueHighWaterMark 2 #8000
    $ActionQueueLowWaterMark 1 #2000
    
    #*.* @remotehost:port (udp) @@remote-host:port (tcp)
    *.* @@yourcollectormanagerhost:1468 #send all log events to the collector manager via tcp
    
    
  5. Once you have configured rsyslogd, you can start the service.

    #rcsyslog start

–WARNING–
by installing and configuring rsyslogd, some of the logs in /var/log/ will not be updated (es. /var/log/NetworkManager) This is because the default log definitions of syslog-ng are not migrated to rsyslogd, and (if needed) they will need to be reconfigured
(Visited 1 times, 1 visits today)
Tags: , ,
Category: SUSE Linux Enterprise Server, Technical Solutions
This entry was posted Friday, 22 January, 2010 at 11:52 am
You can follow any responses to this entry via RSS.

Comments

  • cpnath says:

    This article is simple and very useful.
    Now with present configuration all logs from the sever will be sent to remote server.
    But if you can elaborate with examples to send specific log files to remote server, it’ll be very useful.

  • Leave a Reply

    Your email address will not be published. Required fields are marked *