Upgrade the os of a syslog-ng or rsyslog server

Question

I run a RHEL server with rsyslog to collect my network logs, and by receiving a security bulletin alert I have to upgrade this server.

What is the strategy to upgrade this machine, knowing that many other machine's logs depend on this and on an OS update may be we are faced of many reboots ?

what is the comportment of other machine when rsyslog is not running.

NB: I add that the syslog client are appliances, some kind of SMG. And As known is that the appliance are limited on configuration side and tunning parameters.

pretty sure they're lost if you're using standard syslog, another reason I use beats — Jacob Evans, Feb 07 '17 at 22:50
The solution they find is to stop the SMG ( mail appliance ) the moment of the maintenance of the rsyslog and restartting them after. Also they said that the mail will not be lost is correct? — Ali Mezgani, Feb 08 '17 at 15:30

score 1 · Answer 1 · answered Feb 08 '17 at 07:48

1

in this case when you are maintaining your logserver, you have to find an alternative way to store your log messages. You can

install a new server and redirect log traffic to this server during the maintenance (depending on how you store your log messages, you might need to move the files from this server to the original)
have the clients store the messages during server maintenance: syslog-ng Open Source Edition 3.9 and supports diskbuffers that can store messages temporarily on disk if the server is not available. You could upgrade your clients to this version and configure disk buffering
If you don't want or cannot upgrade your clients, you can combine the two previous options, and create a relay that collects the messages from the clients and forwards it to the server, but uses disk buffer during the server outage.

answered Feb 08 '17 at 07:48

Robert Fekete

552
1
3
6

The response is interesting but how is it easy to merge the logs from the rely server to syslog-ng server ? – Ali Mezgani Feb 08 '17 at 08:29
What about rsyslog ? does it contained a feature like diskbuffers ? – Ali Mezgani Feb 08 '17 at 10:05
ha for your syslog if you are prod. – c4f4t0r Feb 08 '17 at 10:07
Difficulty of merging the logs depends on how you store them. If you use plain-text files that are split by the hour (for example, using the $HOUR) macro of syslog-ng, then you just have to move them to the main server, and maybe merge the files that are overlapping. – Robert Fekete Feb 08 '17 at 11:19

score 0 · Answer 2 · answered Feb 07 '17 at 22:51

0

As always it depends...

The traditional syslog protocol, based on UDP, is best effort. If the remote syslog server is not able to receive the syslog events, the transmitting syslog server(s) can't detect that and during that period all transmitted events are lost and no attempt is made to transmit them again.

If both your syslog-ng and all your transmitting syslog server(s) use the more advanced TCP protocol version, they can detect that the remote syslog server has broken the connection. Depending on the syslog daemon events might be buffered and transmitted later...

answered Feb 07 '17 at 22:51

HBruijn

77,029
24
135
201

I think that when using TCP against UDP on syslog-ng and other node the logging will be more slow than the UDP's, also when we have many syslog nodes we can easily loose logs. – Ali Mezgani Feb 07 '17 at 23:01
your appliance is probably udp only – Jacob Evans Feb 08 '17 at 15:39
exact ! TCP crash them – Ali Mezgani Feb 08 '17 at 16:00

Upgrade the os of a syslog-ng or rsyslog server

2 Answers2