where log-consolidation-serveris the fully qualified domain name of the consolidation server. The name must be fully qualified or syslogd will not forward the messages properly.

NOTE: There must be a <tab> before each @ sign.

If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

syslogd must be stopped and restarted for these changes to take effect, using the following commands:

#/sbin/init.d/syslogd stop

#/sbin/init.d/syslogd start

With syslogd appropriately configured, now configure syslog-ng.

Start with the same syslog-ng.conf templates used by the clog_wizard. Copy /opt/dsau/ share/clog/templates/syslog-ng.conf.server.template to /etc/ syslog-ng.conf.server. This file has tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

Replace the tokens as follows:

When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:

source s_syslog_udp { udp(port(514)); };

Replace the <%UDP_LOOPBACK_LOG%> token with:

log { source(s_syslog_udp); destination(d_syslog_tcp); };

This causes the syslog-ngconsolidator to read the local syslogd’s UDP messages and send them to syslog-ngon the local TCP port. Optionally, the destination could be set to be the local consolidation file directly, (destination(d_syslog) in this default template), but this configures the consolidation server client components in the same manner as a remote client. In other words, when the consolidator is a client of itself, it’s configured identically to remote clients.

If using the UDP protocol or not consolidating the local syslogs of this server, delete the<%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported if the consolidation of the server’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.

For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and<%KEEP_ALIVE%> tokens with appropriate values, as follows:

source s_syslog_<%TYPE%> { <%TYPE%>(port(<%PORT%>) <%KEEP_ALIVE%>); };

For TCP, the port needs to be an available TCP port. See section “Configuring a Log Consolidation Standalone Server with clog_wizard” (page 46) for a discussion of selecting an available port. For UDP, use port 514.

<%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with keep-alive(yes)” which instructs syslog-ngto keep connections open when it is rereading its configuration file. If using UDP, delete this token.

For the “destination d_syslog_<%TYPE%>” line, replace the <%IP%> and<%PORT%> tokens:

destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };

For example, for TCP:

destination d_syslog_tcp { tcp(“local_hostname” port(1776)); };

3.3 Log Consolidation Configuration

57

Page 56 Page 58
Page 57
Image 57
HP UX System Adstration # /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start, Replace the %UDPLOOPBACKLOG% token with
Page 56 Page 58
Top Page Image Contents