a.When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:
source s_syslog_udp { udp(port(514)); };
Replace the <%UDP_LOOPBACK_LOG%> token with:
log { source(s_syslog_udp); destination(d_syslog_tcp); };
This causes the
If using the UDP protocol or not consolidating the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.
b.Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported, if the consolidation of the cluster’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.
c.For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and
<%KEEP_ALIVE%> tokens with appropriate values:
source s_syslog_<%TYPE%> {<%TYPE%>(port(<%PORT%>)<%KEEP_ALIVE%>); };
For TCP, the port needs to be an available TCP port on all cluster members. See the section “Configuring a Log Consolidation Standalone Server with clog_wizard” (page 46) for a discussion of selecting an available port. For UDP, use port 514.
<%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with
d.For the destination d_syslog_<%TYPE%> line, replace the <%IP%> and <%PORT%> tokens:
destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };
For example, for TCP:
destination d_syslog_tcp { tcp(“package IP” port(1776)); };
where the <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> is replaced by the selected TCP port number.
For UDP:
destination d_syslog_udp { udp(“package IP” port(514)); };
where <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> token is replaced by 514, the standard syslog UDP port.
3.3 Log Consolidation Configuration | 61 |