[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qmail
Subject:    Re: Qmail - Syslog
From:       Kyle Wheeler <kyle-qmail () memoryhole ! net>
Date:       2009-04-20 17:04:08
Message-ID: 20090420170408.GB642 () CPE-65-31-220-231 ! kc ! res ! rr ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, April 20 at 04:37 PM, quoth Richard Scollon:
> I have successfully configured my qmail installation which works 
> perfectly and logs to /var/log/qmail on the local server.

I'm guessing you set it up to use multilog?

> However I wish to collect all my logs on a central syslog server. I 
> have succeeded in doing this with standard o/s logs but (after 
> trying the same method with the qmail logs) can't get the qmail logs 
> to redirect.

Generally speaking, syslog is just AWFUL. It can lose log messages 
under high-load, which is the entire reason multilog was invented in 
the first place. It's ESPECIALLY bad when forwarding messages to other 
servers. For an in-depth explanation, check here: 
http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html 
Here's the key quote:

     No advanced flow control, no tricks, no nothing helped. We can not
     build a reliable solution out of plain tcp syslog. It's simply a
     no-go. ... It's a protocol issue and as such all softwares
     implementing plain TCP syslog have the same shortcoming!

Unfortunately, the suggested alternative there (syslog-ng) can also 
lose messages: 
https://lists.balabit.hu/pipermail/syslog-ng/2004-October/006513.html 
The syslog-ng authors admit that even with the most recent version, 
it's possible to lose log messages: 
http://www.campin.net/syslog-ng/faq.html#lost_messages

That said, you CAN use the program splogger in place of multilog to 
send qmail's logs to syslog, and from there you can have syslog 
forward them to your central server. But like I said, that puts your 
system at risk for losing log messages.

One alternative is to use netcat to pipe log messages from qmail 
across the network to a multilog instance on your central server. I do 
not know how reliable this is, though.

Another way of doing it is to use multilog's post-processing feature 
to send logs to your central server every time it needs to rotate the 
local log files. Your central server won't always have the most 
current logs, but this method is *very* reliable, since logs are kept 
locally "just in case".

I'm sure there are a few other ways, if you're feeling inventive, but 
that's just off the top of my head.

Hope that helps,

~Kyle
- -- 
Most truths are so naked that people feel sorry for them and cover 
them up, at least a little bit.
                                                    -- Edward R. Murrow
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAknsqwgACgkQBkIOoMqOI14qjgCfSJufu9ewUBKinPoffqsJ2V4Q
B5cAoOgiVTv22fpPxrxhr/s5cjXdZIpB
=f2Cb
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]