1

Based on the advice from answer that says: Simply adding both servers and always write to both is the easiest one,

we have setup syslog-NG server on two machines that receive same syslog message and store in all_devices.log on both machines(RHEL 7.x).

Below is the configuration on both machines:

@version: 3.17

source s_network {
        udp(
                flags(syslog_protocol)
                keep_hostname(yes)
                keep_timestamp(yes)
                use_dns(no)
                use_fqdn(no)
        );
};

destination d_all_logs {
        file("/app/syslog-ng/custom/output/all_devices.log");

};

log {
        source(s_network);
        destination(d_all_logs);
};

Going further, we would additionally like to forward syslog messages based on filter rules, to a specific consumer, something like this:

log { source(s_network); filter(f_warn); destination(remote_log_server); };

but remote_log_server will receive two messages for every single message, as they are two syslog servers forwarding the same message.

Does Syslog-NG configuration allow de-duplication of two msgs to one syslog message?

Improve this question
2
  • Hi, if I understand correctly, you have two machines that both forward the same message to a third machine, and you want to deduplicate these messages on the third machine. Unfortunately I don't think that's possible. Commented Oct 5, 2018 at 6:45
  • @RobertFekete Yes, two machines.. that both forward the same message to a third machine. Commented Oct 5, 2018 at 13:56

1 Answer 1

Reset to default
2

Syslog-ng does not have support for that. If you need to do a simultaneous forwarding through two servers to a third server and have deduplication there, you'll need to use some other or additional software to perform the deduplication.

In this case, I'd consider the third alternative in answer you linked to - using haproxy to only forward syslog messages to one of the two redundant servers at a time.

Improve this answer
4
  • Are you suggesting this solution? Commented Oct 5, 2018 at 14:31
  • Our setup(Syslog server) currently listens on UDP port 514 for incoming syslog messages, but haproxy talks TCP. So, Can syslog server listen on TCP port 514? Commented Oct 5, 2018 at 14:53
  • 1
    Yes, that's what I meant, and yes, syslog-ng can listen on TCP as well as UDP, and you can choose what port you like for it. Commented Oct 5, 2018 at 16:42
  • Can haproxy listen on UDP port 514? to receive syslog messages from infrastructure? Commented Oct 5, 2018 at 17:14

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.