1

I have been assigned to configure syslog-ng on a linux device to perform in a certain way. I am fairly new to working with syslog-ng, so please have that in consideration when replying.

Following statements explain the prerequisites for the configuration:

  • Send data to a specified IP (can't show here)
  • If the device with the IP above can't be reached, then buffer to memory
  • When memory is full, buffer to file
  • When a file is full create a new one, once 5 files has been created start overwriting the first file (like a round robin process)

What I need help with is understanding how I configure syslog-ng to perform the memory and file prerequisites.

Any help is much appreciated!

PerryBerry
  • 11
  • 1

1 Answers1

2

All this should be configured in the syslog-ng.conf file. You'll need to configure your sources separately. First you need local logs:

destination i_assume_you_already_have_this {
    file("/var/log/whatever");
};

You want to use a destination block to send to a remote server:

destination a_name {
    syslog("10.1.2.3" transport("tcp"));
};

and a related entry to send your local logs to this destination:

log {
    source(i_assume_you_already_have_this); destination(a_name);
};

Disk buffering + memory buffering is enabled by adding something like this to the remote destination block:

disk-buffer(
    mem-buf-length(<size in bytes>)
    disk-buf-size(<size in bytes>)
    reliable(no)
)

syslog-ng does not support log rotation based on size by default. You'll need to use logrotate, and postrotate to reload syslog-ng. You'll need something like this in your logrotate configuration:

/var/log/whatever {
   rotate 5
   size <some size>
   postrotate
      /etc/init.d/syslog-ng reload >/dev/null
   endscript
}

You can find a lot of this information in the manual, here: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide

Jesse K
  • 186
  • 5