You can send data from existing facilities to an external syslog server by simply editing rsyslog.conf. To create a new facility, use the logger application.Note:
If using Red Hat 5 or equivilent (including appliances prior to version 7.7), the configuration file to edit is /etc/syslog
. All other steps remain the same.To send data from existing facilities to an external syslog server:
- First, confirm that transaction logging is enabled and is in the Netscape Extended format. For example, if logging is enabled for extended.log, you should see the size of extended.log increase in a production environment as proxy traffic is logged.
- Next, modify /etc/rsyslog.conf (or /etc/syslog):
- For versions 8.1 and later, add these lines:
# WCG Transaction Logging
- For versions 8.0 and earlier, add these lines. Use one or more <tab> characters to separate the logging facility from the destination address in rsyslog.conf.
# WCG Transaction Logging
- Turn off rate-limiting for rsyslog. Modern Linux distributions come with 'rsyslog', which is a replacement for 'syslogd' or 'sysklogd'. Starting with version 5.7.1 of rsyslog, a feature known as rate-limiting was added to the utility. If a given process ID (PID) were to send more than 200 messages to /var/log/messages in a 5 second interval (the default setting in rsyslog), it will start to drop messages and place the following warning inside of /var/log/messages:
Feb 5 13:07:52 plugh rsyslogd-2177: imuxsock begins to drop messages from pid 12105 due to rate-limiting
The solution is to simply turn off rate-limiting for rsyslog. To do this, add the following line to /etc/rsyslog.conf:
- Restart the syslog service so that the changes take effect:
# service rsyslog restart
- Now that you've told syslog where to send messages marked with the local facility number of your choice, you must send the log data to syslog with that facility ID. Use 'tail' to send the data to the "logger" command. Note The & is needed at the end of the logger commands as it may break WshunterDomAgent.
tail -F <full_path_to_log_file> | logger -p <chosen_facility_number>.<priority> &
For example: tail -F /opt/WCG/logs/extended.log | logger -p local5.debug &
Note: Use the capitalized "-F" switch in tail commands. This allows it to deal with transaction log rollover.
- To launch on startup, place the above line in the /etc/rc.local file so it will launch on each startup.
- To enable syslogging offbox immediately (without a reboot), the following command can be used:
nohup tail -F /opt/WCG/logs/extended.log | logger -p local5.debug &
: This works for other system logs as well
- nohup tail -F /opt/WCG/logs/extended2.log | logger -p local5.debug &
- nohup tail -F /var/log/messages | logger -p local5.debug &
- nohup tail -F /var/log/hunter/user.log | logger -p local5.debug &