Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.19 - Administration Guide

Preface Introduction to syslog-ng The concepts of syslog-ng Installing syslog-ng The syslog-ng PE quick-start guide The syslog-ng PE configuration file Collecting log messages — sources and source drivers
How sources work default-network-drivers: Receive and parse common syslog messages internal: Collecting internal messages file: Collecting messages from text files wildcard-file: Collecting messages from multiple text files linux-audit: Collecting messages from Linux audit logs network: Collecting messages using the RFC3164 protocol (network() driver) office365: Fetching logs from Office 365 osquery: Collect and parse osquery result logs pipe: Collecting messages from named pipes program: Receiving messages from external applications python: writing server-style Python sources python-fetcher: writing fetcher-style Python sources snmptrap: Read Net-SNMP traps syslog: Collecting messages using the IETF syslog protocol (syslog() driver) system: Collecting the system-specific log messages of a platform systemd-journal: Collecting messages from the systemd-journal system log storage systemd-syslog: Collecting systemd messages using a socket tcp, tcp6, udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol udp-balancer: Receiving UDP messages at very high rate unix-stream, unix-dgram: Collecting messages from UNIX domain sockets windowsevent: Collecting Windows event logs
Sending and storing log messages — destinations and destination drivers
elasticsearch2: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED) elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector file: Storing messages in plain-text files hdfs: Storing messages on the Hadoop Distributed File System (HDFS) http: Posting messages over HTTP kafka: Publishing messages to Apache Kafka logstore: Storing messages in encrypted files mongodb: Storing messages in a MongoDB database network: Sending messages to a remote log server using the RFC3164 protocol (network() driver) pipe: Sending messages to named pipes program: Sending messages to external applications python: writing custom Python destinations sentinel: Sending logs to the Microsoft Azure Sentinel cloud smtp: Generating SMTP messages (email) from logs splunk-hec: Sending messages to Splunk HTTP Event Collector sql: Storing messages in an SQL database stackdriver: Sending logs to the Google Stackdriver cloud syslog: Sending messages to a remote logserver using the IETF-syslog protocol syslog-ng(): Forward logs to another syslog-ng node tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers) unix-stream, unix-dgram: Sending messages to UNIX domain sockets usertty: Sending messages to a user terminal — usertty() destination Client-side failover
Routing messages: log paths, flags, and filters Global options of syslog-ng PE TLS-encrypted message transfer Advanced Log Transfer Protocol Reliability and minimizing the loss of log messages Manipulating messages parser: Parse and segment structured messages Processing message content with a pattern database Correlating log messages Enriching log messages with external data Monitoring statistics and metrics of syslog-ng Multithreading and scaling in syslog-ng PE Troubleshooting syslog-ng Best practices and examples The syslog-ng manual pages Glossary

How to get information about disk-buffer files

This section describes how to get information about disk-buffer files used in syslog-ng Premium Edition (syslog-ng PE).

NOTE: Consider the following while reading this section:

  • This section uses the default installation path /opt/syslog-ng in the commands and syslog-ng PE files.
  • The syslog-ng PE persist file format is different in syslog-ng PE 6 and syslog-ng PE 7, so the commands may differ for the two versions.
Topics:

Useful information about disk-buffers

This section describes useful information about disk-buffers used in syslog-ng Premium Edition(syslog-ng PE).

The following list contains useful information about disk-buffers:

Getting the list of disk-buffer files

This section describes getting the list of disk-buffer files used in syslog-ng Premium Edition(syslog-ng PE).

The syslog-ng PE application stores information (namely, the IP:PORT or DNS:PORT of the destinations, and the name of the disk-buffer file) about disk-buffers in its persist file.

syslog-ng PE 6 LTS
Command for listing the disk-buffer files in use for syslog-ng PE 6 LTS

For syslog-ng PE 6 LTS, the following command will list the disk-buffer files in use:

/opt/syslog-ng/bin/persist-tool dump /opt/syslog-ng/var/syslog-ng.persist | grep '_qfile' | sed -e 's/\\//g'

The example output will look like this:

afsocket_dd_qfile(stream,10.21.10.112:514) = { "queue_file": "/opt/syslog-ng/var/syslog-ng-00000.rqf" }
syslog-ng PE 7 LTS
Command for listing the disk-buffer files in use for syslog-ng Premium Edition 7 LTS

For syslog-ng PE 7 LTS, the following command will list the disk-buffer files in use:

/opt/syslog-ng/bin/persist-tool dump /opt/syslog-ng/var/syslog-ng.persist | awk -F '["=]' '/(qfile\(|\.queue)/ { gsub(/[ \t]+/, "", $5); gsub(/^[0-9A-Fa-f]{8}/, "", $5); "echo "$5"|xxd -r -p"|& getline QUEUE; printf("%s ==> %s\n",$1,QUEUE)}'

The example output will look like this:

afsocket_dd_qfile(stream,10.21.10.20:601)  ==> /opt/syslog-ng/var/syslog-ng-00000.rqf

NOTE: Install a vim-common package on your system if you receive the following error message instead of the example output:

xxd: command not found

Getting status information of disk-buffer files

This section describes getting status information about the disk-buffer files used in syslog-ng Premium Edition(syslog-ng PE).

Command syntax

The basic command syntax for getting status information about the disk-buffer files used in syslog-ng PE looks like this:

/opt/syslog-ng/bin/dqtool info DISK_QUEUE_FILE
Example commands

The following example commands describe how you can get status information about two different type of disk-buffer files (namely, empty normal disk-buffer files, and non-empty reliable disk-buffer queue files.

Example commands for empty normal disk-buffer files, and non-empty reliable disk-buffer queue files
  • Empty normal disk-buffer file (all *_length is zero)

    /opt/syslog-ng/bin/dqtool info /opt/syslog-ng/var/syslog-ng-00000.qf 
    
    Disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.qf', qout_length='0', qbacklog_length='0', qoverflow_length='0', qdisk_length='0'
  • Non-empty, reliable disk-buffer queue file

    /opt/syslog-ng/bin/dqtool info /opt/syslog-ng/var/syslog-ng-00000.rqf
    
    Reliable disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.rqf', queue_length='3519', size='1995952'
One-liner command to get the state of disk-buffer files in the default directory

You can use the following one-liner command to get the state of disk-buffer files in the default directory:

for qfile in /opt/syslog-ng/var/*.?(r)qf ; do /opt/syslog-ng/bin/dqtool info $qfile 2>&1 ; done | cut -f2 -d ";" | awk -F \' '/_length/ { if ($4 > 0) { print "\nNON-EMPTY DISK-BUFFER\t"$0; } else { print "\nEmpty disk-buffer\t"$0 } }'
Related Documents