1.If you want the local syslog messages for the cluster itself to be part of the consolidated syslog, complete the following tasks:
a.Start by configuring the standard syslogd to co-exist with a syslog-ng consolidator. By default, syslogd listens for incoming log messages on UDP port 514. To use the UDP protocol or consolidate this server’s local syslogs, syslog-ng must listen on UDP port 514. Edit/etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch to prevent syslogd from listening on port 514. For example:
SYSLOGD_OPTS=“-D -N”
b.Edit the/etc/syslog.conf file to forward log messages to UDP port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/ syslog.conf as the example, add the following lines:
mail.debug@log-consolidation-server
*.info;mail.none @log-consolidation-server
where log-consolidation-serveris the fully qualified domain name of the local cluster member. The name must be fully qualified or syslogd will not forward messages properly.
If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.
c.Since /etc/rc.config.d/syslogd is generic, it can be distributed cluster-wide using ccp, as follows:
#cpp /etc/rc.config.d/syslogd /etc/rc.config.d/
d.The /etc/syslog.conf is specific to each member and the edits described previously must be performed on each cluster member.
e.Once you have made the above changes on each cluster member, syslogd must be restarted for these changes to take effect. Use cexec to do this on all members of the cluster:
#cexec “/sbin/init.d/syslogd stop;/sbin/init.d/syslogd start”
2.To configure syslog-ng, start with the same syslog-ng.conftemplates used by the clog_wizard. On one cluster member, copy
/opt/dsau/share/clog/templates/syslog-ng.conf.server.template to /etc/syslog-ng.conf.server. Then copy an
/opt/dsau/share/clog/templates/syslog-ng.conf.client.template
to /etc/syslog-ng.conf.client. Both files have tokens named <%token-name%>that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.
Manually replace the tokens in /etc/syslog-ng.conf.serveras follows: