How to configure SLES 11 to cache and send log events to Sentinel via rsyslogd


By: gbianchi77

January 22, 2010 11:52 am





If you are using syslog or syslog-ng to send log events to Sentinel, you might have noticed that if there are communication problems with the collector manager, your events might be lost.

You can get around this limitation by installing rsyslogd, which is included in your SLES11 installation media.

Rsyslogd can be configured to replace syslog-ng (the default logger in sles11) in a few steps:

  1. stop syslog-ng

    #rcsyslog stop

  2. Install the rsyslogd package

    #yast -i rsyslog

  3. Modify the following parameters in sysconfig (either with yast or by editing /etc/sysconfig/syslog)


  4. run SuSEconfig


    Now that we have installed the new logger, we can modify the file /etc/rsyslog.d/remote.conf to tell rsyslogd to cache the log events and to send them to our collector manager.

    Here is a pretty self-explanatory sample configuration:

    # Remote Logging (we use TCP for reliable delivery)
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName accesslog # unique name prefix for spool files
    $ActionQueueMaxFileSize 10m
    $ActionQueueMaxDiskSpace 5gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList # run asynchronously
    $ActionResumeInterval 30
    $ActionResumeRetryCount -1 # infinite retries if host is down
    $ActionQueueHighWaterMark 2 #8000
    $ActionQueueLowWaterMark 1 #2000
    #*.* @remotehost:port (udp) @@remote-host:port (tcp)
    *.* @@yourcollectormanagerhost:1468 #send all log events to the collector manager via tcp
  5. Once you have configured rsyslogd, you can start the service.

    #rcsyslog start

by installing and configuring rsyslogd, some of the logs in /var/log/ will not be updated (es. /var/log/NetworkManager) This is because the default log definitions of syslog-ng are not migrated to rsyslogd, and (if needed) they will need to be reconfigured
1 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 51 vote, average: 3.00 out of 5 (1 votes, average: 3.00 out of 5)
You need to be a registered member to rate this post.

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else in the SUSE Blog, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

1 Comment

  1. By:cpnath

    This article is simple and very useful.
    Now with present configuration all logs from the sever will be sent to remote server.
    But if you can elaborate with examples to send specific log files to remote server, it’ll be very useful.