where
NOTE: There must be a <tab> before each @ sign.
If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.
syslogd must be stopped and restarted for these changes to take effect, using the following commands:
#/sbin/init.d/syslogd stop
#/sbin/init.d/syslogd start
With syslogd appropriately configured, now configure
Start with the same
Replace the tokens as follows:
•When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:
source s_syslog_udp { udp(port(514)); };
Replace the <%UDP_LOOPBACK_LOG%> token with:
log { source(s_syslog_udp); destination(d_syslog_tcp); };
This causes the
If using the UDP protocol or not consolidating the local syslogs of this server, delete the<%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.
•Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported if the consolidation of the server’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.
•For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and<%KEEP_ALIVE%> tokens with appropriate values, as follows:
source s_syslog_<%TYPE%> { <%TYPE%>(port(<%PORT%>) <%KEEP_ALIVE%>); };
For TCP, the port needs to be an available TCP port. See section “Configuring a Log Consolidation Standalone Server with clog_wizard” (page 46) for a discussion of selecting an available port. For UDP, use port 514.
<%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with
•For the “destination d_syslog_<%TYPE%>” line, replace the <%IP%> and<%PORT%> tokens:
destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };
For example, for TCP:
destination d_syslog_tcp { tcp(“local_hostname” port(1776)); };
3.3 Log Consolidation Configuration | 57 |