syslog-ng server?

freke · Posted: Mon Apr 09, 2018 7:30 pm Post subject: syslog-ng server?

I've traditionally been running metalog on my 3 small headless servers (ie. bind/dhcp/mail) - I was thinking on running a centralized logserver on one of them and it seems syslog-ng would be the way to go then?

Is there any favored wiki/guide to follow to set that up?
And how is the output compared to metalog?

And is/can the logs be combined; ie. I have most 'mail-stuff' logged from one server - but spam-handling will be done on a seperate server - could that be combined into a single logfile for easily following the flow of a mail throughout the system? (are lines then in anyway prefixed with the server they are originating from?)

Tia
freke

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

I can't really say if syslog-ng is better than metalog, as I don't have any experience with that. However, I did setup remote logging before, but sadly I don't have my configs for when I did it nor another gentoo system to reset it up. I do recall, it wasn't really too difficult to setup; and for me all the logs were combined together as if it was done local. The main thing you need to do, is modify the rules so that it includes the source machine.

I'll see if I can setup another linux machine and try setting up the remote logging again.

bbgermany · Posted: Tue Apr 10, 2018 5:04 am Post subject:

Hi,

maybe this helps you getting syslog-ng up as collector. I havent tried this, coz im doing this with rsyslog.

https://www.techrepublic.com/article/how-to-use-syslog-ng-to-collect-logs-from-remote-linux-machines/

greets, bb
_________________
Desktop: Ryzen 5 5600G, 32GB, 2TB, RX7600
Notebook: Dell XPS 13 9370, 16GB, 1TB
Server #1: Ryzen 5 Pro 4650G, 64GB, 16.5TB
Server #2: Ryzen 4800H, 32GB, 22TB

freke · Posted: Tue Apr 10, 2018 4:22 pm Post subject:

Thx - looking into the guide, and seems like I'm able to gather logs remotely now

Now off to create some filters it seems - to mimic my metalog-setup.

ct85711:
Not saying syslog-ng is better than metalog either (I've always used metalog) - it's just that metalog doesn't support remote logging as I understand it.

--
Instantly in love with syslog-ng - currently fooling around with https://papertrailapp.com - love it

ct85711 · Veteran Joined: 27 Sep 2005 Posts: 1791

From looking at metalog, I am not sure how much I like that package. For me, the biggest thing that would bug is, that it is very little documentation for it. Looking at it more closely, I saw the forum for it (I assume is the main forum on sf, but may not), is the lack of communication for multiple years. Even looking at the source code history, there has been a 2 or 3 code merges recently (on allowing remote logging using UDP). Beyond that, there was one was a change to the man file. The catcher, is beyond that, no activity since like 2012 or 2013. Either way, I'd be concerned that the devs more of gave up on it as they haven't even been improving the documentation and the community around that package isn't even communicating in their forum (I could have went to the wrong place for their forums).

Ant P. · Watchman Joined: 18 Apr 2009 Posts: 6920

A bit of fun trivia about metalog: it really really doesn't like running in foreground without a stdout to write its debug spam to. It'll try anyway, and then block forever once its internal buffer backs up... and then every other program on the system that tries to call syslog() will block too. It usually takes a while for the write buffer to fill up so it fails a random amount of time after boot.

It's tolerable software, as long as you don't try to do anything interesting with it. Deserves to be abandoned in an early 2000s museum for sure.