Hi,
I'm considering using rsyslog to replace the custom logging system of a
distributed program, and I had some questions about how to do this, and whether
my tentative design is reasonable. Assume all machines are running a recent
rsyslog (>= 5.6) on Linux.
We use logging for system monitoring and performance, not for security.
I plan to use the rsyslog time stamps to calculate the time through our
system.
The program runs on several clusters, and consists of numerous
services/processes. For concreteness, let's just look at one cluster,
and give each machine on it a name like cluster_01, cluster_02, etc.
I'd like to designate two machines in each cluster as being the log
servers; two to provide some redundancy for failures. Let cluster_01
and cluster_02 be the logging servers. There are about 20 machines
per cluster, so two logging servers will collect for about 18 machines,
each of which is running about 6 (six) services that we log events from.
The services get 50 - 100 requests/second, all have 1Gbps Ethernet links
into the same switch and disks that are fast enough to easily deal with
the write bandwidth needed.
I'd like the log messages from each service on each machine to go to a
log files something like this
cluster_01:/var/log/cluster_03
--cluster_04
.
.
.
--cluster_nn
cluster_01:/var/log/cluster_03/service1/log
--service5/log
--service7/log
First question, does this make sense? Both as an explanation of what I'm
trying to do, and as a reasonable logging architecture?
Second question. What should my rsyslog.conf look like on each machine?
On the logging servers, I'd like all messages not from the server machine
to be stored in the log file with path determined from hostname, service name,
and pid, say. I may need more info later to assure that I can trace the path
of messages more easily, but this should be sufficient for starters. I'd
prefer that the conf files do not hardcode the names of the other machines
on themselves. On the cluster machines running the services, I'd like the
conf files to all be exactly the same, so they may refer to the logging
servers by name but not themselves. I has been very slow going for me trying
to figure out the syntax to do all of this. I looked at the example conf files,
and I was able to use expression based filters to get some of the way there
but I think everything I described should be doable with rsyslog.
Third, are there any subtle issues I should be thinking about here. For
example, since I'd like to use the log messages to calculate the performance
of the services, do I need to introduce some extra time stamps in the message
flow or are the rsyslog generated timestamps enough?
-- Brian
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
