1831207 Members
3029 Online
110021 Solutions
New Discussion

syslog redirection

 
SOLVED
Go to solution
Tim Reed
Occasional Contributor

syslog redirection

I'm being asked to route syslog messages to a central server. I know how to configure syslog.conf to do that. My question is what happens if the central server is down or the network is unavailable? Will the messages just be lost or will they queue up on the local server for later delivery?

Thanks,
Tim
6 REPLIES 6
Jeff_Traigle
Honored Contributor
Solution

Re: syslog redirection

From RFC-3164:

6.4 Reliable Delivery

As there is no mechanism within either the syslog process or the
protocol to ensure delivery, and since the underlying transport is
UDP, some messages may be lost. They may either be dropped through
network congestion, or they may be maliciously intercepted and
discarded. The consequences of the drop of one or more syslog
messages cannot be determined. If the messages are simple status
updates, then their non-receipt may either not be noticed, or it may
cause an annoyance for the system operators. On the other hand, if
the messages are more critical, then the administrators may not
become aware of a developing and potentially serious problem.
Messages may also be intercepted and discarded by an attacker as a
way to hide unauthorized activities.
--
Jeff Traigle
Steven E. Protter
Exalted Contributor

Re: syslog redirection

Shalom Tim,

What usually happens if the central server is down is the entries are lost for the entire time the central server is down.

You can configure it to go both places though so there will be no actual data loss.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Ivan Ferreira
Honored Contributor

Re: syslog redirection

You should configure logging to a local file and also to the central server. That is your best option.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
PeterWolfe
Respected Contributor

Re: syslog redirection

As stated, for standard syslogd with UDP the messages are
dropped.

Starting with 11.23 December 05, syslog-ng shipped with
HP-UX as part of the Distributed System Administration
Utilities (DSAU). syslog-ng (for "next generation") is a
syslogd replacement. For this version of HP-UX we configure
it alongside standard syslogd. syslogd forwards messages to
syslog-ng and syslog-ng forwards off-host. If the log
consolidation system is also running syslog-ng, then you can
configure syslog-ng clients to use a TCP transport instead
of UDP. This is still not a guarantee of message delivery
but with TCP you can configure the buffer size on the
client-side to try and mitigate message loss. Depending the
volume of log traffic on the client, this can work well.

The DSAU tools also make it trivial to set up a Serviceguard
cluster as a log consolidator (syslog-ng is configured as a
package). The clients forward to the package's floating IP
address. This again is *not* a guarantee of no message loss
when using UDP, but since SG can be tuned for fast failover,
loss can be minimized. TCP can also be used in this
configuration as well.

Another technique some folks use is to forward from the
clients to two independent log consolidators.


pete




Muthukumar_5
Honored Contributor

Re: syslog redirection

If you are having only one control point in which you are going to log syslog messages then you will lost informations. May be you can store information in local machine too.

If central syslog server is working then you can remove log files in local server else keep it safe for tracking.

scripting is needed to achive this.

--
Muthu
Easy to suggest when don't know about the problem!
Arunvijai_4
Honored Contributor

Re: syslog redirection

Hi Tim,

If the centralised server goes down, entries from the corresponding time will be lost. There is no way to over come other than having a backup of centralised server. A failover method will help you.

-Arun
"A ship in the harbor is safe, but that is not what ships are built for"