Whats the best way to log from remote sites
I have numerous systems in a remote site that I want to have redundant
logging provided locally, I want to reduce the chance of have logs spooling
on the clients so they will have:
*.* @@log1:514
$ActionExecOnlyWhenPreviousIsSuspended on
& @@log2:514
& /var/spool/rsyslog
$ActionExecOnlyWhenPreviousIsSuspended off
The two local (to clients) log servers will then forward the logs they
receive to redundant log servers in my local site.
# log1
$ModLoad omrelp
*.* :omrelp:log1.drp:20514;RSYSLOG_ForwardFormat
#log2
$ModLoad omrelp
*.* :omrelp:log2.drp:20514;RSYSLOG_ForwardFormat
The two local (to me) log servers will then be forwarding the collected logs
onto a flume syslog collector to be then be processed in elastic search.
Should the two remote log servers send using RELP to a single VRRP address
running between 2 log servers or will RELP work better with a one to one
relationship
So in ascii art:
log1 (remote) - \ log1 (local)
log (local VRRP address)
log2 (remote) - / log2 (local)
or
log1 (remote) - log1 (local)
and
log2 (remote) - log2 (local)
OR is it possible to have RELP use something like this:
*.* :omrelp:log1.drp:20514;RSYSLOG_ForwardFormat
$ActionExecOnlyWhenPreviousIsSuspended on
*.* :omrelp:log2.drp:20514;RSYSLOG_ForwardFormat
& /var/spool/rsyslog
$ActionExecOnlyWhenPreviousIsSuspended off
I hope this ascii art works :-)
Thanks in advance
--
Rgds
Rodney McKee
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com
