The syslog-ng OSE application is open source, so if you have the necessary programming skills, you can extend it if its features are not adequate for your particular environment or needs. You can write destinations and other extensions to syslog-ng OSE in C (the main language of syslog-ng OSE), or using its language bindings, for example, Java or Python. .
For details on extending syslog-ng OSE in Python, see the python: writing custom Python destinations.
For details on extending syslog-ng OSE in Java, see the syslog-ng OSE Developer Guide
If you delete all Java destinations from your configuration and reload syslog-ng, the JVM is not used anymore, but it is still running. If you want to stop JVM, stop syslog-ng and then start syslog-ng again.
syslog-ng OSE can detect if the remote server of a network destination becomes inaccessible, and start sending messages to a secondary server. You can configure multiple failover servers, so if the secondary server becomes inaccessible as well, syslog-ng OSE switches to the third server in the list, and so on. If there are no more failover servers left, syslog-ng OSE returns to the beginning of a list and attempts to connect to the primary server.
The primary server is the address you provided in the destination driver configuration and it has a special role. syslog-ng OSE nominates this destination over the failover servers, and handles it as the primary address.
When syslog-ng OSE starts up, it always connects to the primary server first. In the failover() option there is a possibility to customize the failover modes.
Depending on how you set the failback() option, syslog-ng OSE behaves as follows:
round-robin mode: If failback() is not set, syslog-ng OSE does not attempt to return to the primary server even if it becomes available. In case the failover server fails, syslog-ng OSE attempts to connect the next failover server in the list in round-robin fashion.
In the following example syslog-ng OSE handles the logservers in round-robin fashion if the primary logserver becomes inaccessible (therefore failback() option is not set).
destination d_network { network( "primary-server.com" port(601) failover( servers("failover-server1", "failover-server2") ) ); };
failback mode: If failback() is set, syslog-ng OSE attempts to return to the primary server.
After syslog-ng OSE connects a secondary server during a failover, it sends a probe every tcp-probe-interval() seconds towards the primary server. If the primary logserver responds with a TCP ACK packet, the probe is successful. When the number of successful probes reaches the value set in the successful-probes-required() option, syslog-ng OSE tries to connect the primary server using the last probe.
|
NOTE:syslog-ng OSE always waits for the result of the last probe before sending the next message. So if one connection attempt takes longer than the configured interval, that is, it waits for connection time out, you may experience longer intervals between actual probes. |
In the following example syslog-ng OSE attempts to return to the primary logserver, as set in the failback() option: it will check if the server is accessible every tcp-probe-interval() seconds, and reconnect to the primary logserver after three successful connection attempts.
destination d_network_2 { network( "primary-server.com" port(601) failover( servers("failover-server1", "failover-server2") failback( successful-probes-required() tcp-probe-interval() ) ) ); };
If syslog-ng OSE is restarted, it attempts to connect the primary server.
If syslog-ng OSE uses TLS-encryption to communicate with the remote server, syslog-ng OSE checks the certificate of the failover server as well. The certificates of the failover servers should match their domain names or IP addresses — for details, see Encrypting log messages with TLS. Note that when mutual authentication is used, the syslog-ng OSE client sends the same certificate to every server.
The primary server and the failover servers must be accessible with the same communication method: it is not possible to use different destination drivers or options for the different servers.
Client-side failover works only for TCP-based connections (including TLS-encrypted connections), that is, the syslog() and network() destination drivers (excluding UDP transport).
Client-side failover is not supported in the sql() driver, even though it may use a TCP connection to access a remote database.
For details on configuring failover servers, see network() destination options and syslog() destination options.
if-else-elif: Conditional expressions
Managing incoming and outgoing messages with flow-control
Flow-control and multiple destinations
Using disk-based and memory buffering
Enabling reliable disk-based buffering
Enabling normal disk-based buffering
Combining filters with boolean operators
Comparing macro values in filters
Using wildcards, special characters, and regular expressions in filters
Log paths determine what happens with the incoming log messages. Messages coming from the sources listed in the log statement and matching all the filters are sent to the listed destinations.
To define a log path, add a log statement to the syslog-ng configuration file using the following syntax:
log { source(s1); source(s2); ... optional_element(filter1|parser1|rewrite1); optional_element(filter2|parser2|rewrite2); ... destination(d1); destination(d2); ... flags(flag1[, flag2...]); };
|
Caution:
Log statements are processed in the order they appear in the configuration file, thus the order of log paths may influence what happens to a message, especially when using filters and log flags. |
The order of filters, rewriting rules, and parsers in the log statement is important, as they are processed sequentially.
The following log statement sends all messages arriving to the localhost to a remote server.
source s_localhost { network( ip(127.0.0.1) port(1999) ); }; destination d_tcp { network("10.1.2.3" port(1999) localport(999) ); }; log { source(s_localhost); destination(d_tcp); };
All matching log statements are processed by default, and the messages are sent to every matching destination by default. So a single log message might be sent to the same destination several times, provided the destination is listed in several log statements, and it can be also sent to several different destinations.
This default behavior can be changed using the flags() parameter. Flags apply to individual log paths, they are not global options. For details and examples on the available flags, see Log path flags. The effect and use of the flow-control flag is detailed in Managing incoming and outgoing messages with flow-control.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center