Mailing List Archive

local/remote logging
I want to have logs written locally (the way they usually
are) as well as sent to a central logger.

The two situations that I want local logs for are:

1) in case the central logger is not available for any
reason, I don't lose messages

2) if I need to troubleshoot something, I can just look at
the local logs

Obviously, I will rotate the local logs and have older ones
discarded. Whereas the central logger will archive them for
longer periods.


Can I accomplish this with rsyslog? AIUI, I can, and I have
to move to at least v3.11.x -- is that correct?

Assuming yes, I already got the remote logging working. What
do I do to get the simultaneous local logging to work too?

I can't find any wiki or faq on this. If I get it working,
I'd be happy to post it on the site.

johnn
local/remote logging [ In reply to ]
Hi Johnn,

On Wed, 2008-03-05 at 19:49 -0500, Johnny Tan wrote:
> I want to have logs written locally (the way they usually
> are) as well as sent to a central logger.
>
> The two situations that I want local logs for are:
>
> 1) in case the central logger is not available for any
> reason, I don't lose messages

You don't need to lose message when the remote host is unavailable. Use
queued mode. This is currently documented for the database, but works
for any other action as well:

http://www.rsyslog.com/doc-rsyslog_high_database_rate.html

>
> 2) if I need to troubleshoot something, I can just look at
> the local logs
>
> Obviously, I will rotate the local logs and have older ones
> discarded. Whereas the central logger will archive them for
> longer periods.
>
>
> Can I accomplish this with rsyslog? AIUI, I can, and I have
> to move to at least v3.11.x -- is that correct?

Indeed. But don't use anything earlier than 3.12.0 - if you do, you'll
run into a couple of bugs.

> Assuming yes, I already got the remote logging working. What
> do I do to get the simultaneous local logging to work too?

Rsyslog carries out whatever you configure. So just add a rule for local
logging, e.g.

*.* -/var/log/local-logfile

That's it ;)


> I can't find any wiki or faq on this. If I get it working,
> I'd be happy to post it on the site.

That would be much appreciated!

HTH
Rainer
local/remote logging [ In reply to ]
Rainer Gerhards wrote:
> Hi Johnn,
>
> On Wed, 2008-03-05 at 19:49 -0500, Johnny Tan wrote:
>> I want to have logs written locally (the way they usually
>> are) as well as sent to a central logger.
>>
>> The two situations that I want local logs for are:
>>
>> 1) in case the central logger is not available for any
>> reason, I don't lose messages
>
> You don't need to lose message when the remote host is unavailable. Use
> queued mode. This is currently documented for the database, but works
> for any other action as well:

Hmm... and this is doable even with 2.x, right?

So I could have it queued in memory buffer long enough to
bring it back up or bring up another one with same ip to
accept the messages?



>> Assuming yes, I already got the remote logging working. What
>> do I do to get the simultaneous local logging to work too?
>
> Rsyslog carries out whatever you configure. So just add a rule for local
> logging, e.g.
>
> *.* -/var/log/local-logfile

Awesome! Thanks.

I'll post on the wiki once I get it working.

johnn
local/remote logging [ In reply to ]
> >> 1) in case the central logger is not available for any
> >> reason, I don't lose messages
> >
> > You don't need to lose message when the remote host is
> unavailable. Use
> > queued mode. This is currently documented for the database,
> but works
> > for any other action as well:
>
> Hmm... and this is doable even with 2.x, right?

Sorry, Dude, no such queues in v2 :-(

> So I could have it queued in memory buffer long enough to
> bring it back up or bring up another one with same ip to
> accept the messages?

It's *not* a main memory buffer. If you configure it to use disk *and*
you have enough disk space, it can queue for ages. It's pretty advanced,
the full doc on queues is here:

http://www.rsyslog.com/doc-queues.html

The disk, of course, is only touched if needed. If the destination
server is only offline for a brief period, messages may be buffered in
memory only. But if the volume is too large or you stop rsyslogd for a
while, it is written disk.

So if you have enough disk space and your destination dies on Friday and
you are too lazy to come in over the weekend, rsyslogd will send all
queued elements after the restart on Monday. The same, of course, works
if you are on vacation ;)

Rainer