SUSE Conversations


How to configure SLES 11 to cache and send log events to Sentinel via rsyslogd

gbianchi77

By: gbianchi77

January 22, 2010 11:52 am

Reads:1569

Comments:0

Rating:5.0

If you are using syslog or syslog-ng to send log events to Sentinel, you might have noticed that if there are communication problems with the collector manager, your events might be lost.

You can get around this limitation by installing rsyslogd, which is included in your SLES11 installation media.

Rsyslogd can be configured to replace syslog-ng (the default logger in sles11) in a few steps:

  1. stop syslog-ng

    #rcsyslog stop

  2. Install the rsyslogd package

    #yast -i rsyslog

  3. Modify the following parameters in sysconfig (either with yast or by editing /etc/sysconfig/syslog)

    SYSLOG_DAEMON=”rsyslogd”
    RSYSLOGD_COMPAT_VERSION=”4″

  4. run SuSEconfig

    #SuSEconfig

    Now that we have installed the new logger, we can modify the file /etc/rsyslog.d/remote.conf to tell rsyslogd to cache the log events and to send them to our collector manager.

    Here is a pretty self-explanatory sample configuration:

    # Remote Logging (we use TCP for reliable delivery)
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName accesslog # unique name prefix for spool files
    $ActionQueueMaxFileSize 10m
    $ActionQueueMaxDiskSpace 5gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList # run asynchronously
    $ActionResumeInterval 30
    $ActionResumeRetryCount -1 # infinite retries if host is down
    $ActionQueueHighWaterMark 2 #8000
    $ActionQueueLowWaterMark 1 #2000
    
    #*.* @remotehost:port (udp) @@remote-host:port (tcp)
    *.* @@yourcollectormanagerhost:1468 #send all log events to the collector manager via tcp
    
    
  5. Once you have configured rsyslogd, you can start the service.

    #rcsyslog start

–WARNING–
by installing and configuring rsyslogd, some of the logs in /var/log/ will not be updated (es. /var/log/NetworkManager) This is because the default log definitions of syslog-ng are not migrated to rsyslogd, and (if needed) they will need to be reconfigured
VN:F [1.9.22_1171]
Rating: 5.0/5 (2 votes cast)
How to configure SLES 11 to cache and send log events to Sentinel via rsyslogd, 5.0 out of 5 based on 2 ratings

Tags: , ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS