Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Guide: Multi-server logging with openSuSE 10.3 syslog-ng

Hybrid View

  1. #1
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default Guide: Multi-server logging with openSuSE 10.3 syslog-ng

    Thought I'd share my experiences getting logging to work on a multiserver install running openSuSE 10.3 and Zimbra 5.x. Maybe some of these can be integrated into the install script for the next version. These instructions will probably be valid for other 10.x versions of openSuSE but I have not tested it. If anyone has other suggestions, fixes or what not please post them and I will modify to include them.

    For the purposes of this guide, we'll use the following 3 servers

    mta.domain.com - the zimbra-mta server
    ldap.domain.com - the zimbra-ldap server
    mailbox.domain.com - the main mailbox server, also running zimbra-logger and will be the central repository for all the servers' logs

    The first server we want to setup is the mailbox/logger server. You can pretty much throw out the zmsyslogsetup script here. It attempts to use a syslog-ng.conf.in file which according to the syslog-ng.conf in openSuSE 10.3

    Code:
    # NOTE: The SuSEconfig script and its syslog-ng.conf.in
    #       configuration template aren't used any more.
    So open /etc/syslog-ng/syslog-ng.conf with your favorite text edit. The first thing you'll want to do is uncomment (remote the #) the line that says

    Code:
    udp(ip("0.0.0.0") port(514));
    This will allow the other hosts to log to syslog-ng on the logger server. This is equivelant to adding the command line arguments -r -m 0 when you're using the standard syslog. Next, add these lines to the bottom of the file

    Code:
    filter f_local0       { facility(local0); }; # zimbra
    destination zmail { file("/var/log/zimbra.log" owner("zimbra") ); }; # zimbra
    log { source(src); filter(f_mail); destination(zmail); }; # zimbra
    destination local0 { file("/var/log/zimbra.log" owner("zimbra") ); }; # zimbra
    log { source(src); filter(f_local0); destination(local0); }; # zimbra
    filter f_auth       { facility(auth); }; # zimbra
    destination zmauth { file("/var/log/zimbra.log" owner("zimbra") ); }; # zimbra
    log { source(src); filter(f_auth); destination(zmauth); }; # zimbra
    This sets up the necessary logging facilities. Save that file and exit. Now we need to handle the log rotating. Zimbra will have no problem moving the zimbra.log since it has the necessary permissions, but it will not be able to restart the syslog server when it does it and therefor you'll wind up with a blank zimbra.log until root restarts syslog with it's own logrotate process. The first thing you need to do is edit /etc/sudoers down at the bottom you'll find a few entries for zimbra already. Add this one below them

    Code:
    %zimbra ALL=NOPASSWD:/sbin/rcsyslog restart
    This allows zimbra to restart the syslog daemon. Now edit the file /opt/zimbra/conf/zmlogrotate and fine the line that says

    Code:
    /sbin/killall -HUP syslogd 2> /dev/null || true
    change that line to say

    Code:
    sudo /sbin/rcsyslog restart 2> /dev/null || true
    Now as a good test you should su to the zimbra user, and try the command sudo /sbin/rcsyslog restart . If all goes well, it should restart syslog and you should now have a /var/log/zimbra.log with status updates of the mailbox server currently.

    Now onto the other hosts mta and ldap. Open /etc/syslog-ng/syslog-ng.conf

    comment (put a # in front of) the line that says

    Code:
    log { source(src); filter(f_mail); destination(mail); };
    This keeps the system from logging mail stuff from postfix to the local mail log cause you'll want to send it to the logger server. This is only really necessary for the mta server but I guess if it was going to be integrated into the zmsyslogsetup script might as well do it for every machine it won't hurt.

    Next, add these lines at the bottom

    Code:
    destination zmlogger { udp("mailbox.domain.com" port(514) ); }; # zimbra
    log { source(src); filter(f_mail); destination(zmlogger); }; # zimbra
    filter f_local0       { facility(local0); }; # zimbra
    log { source(src); filter(f_local0); destination(zmlogger); }; # zimbra
    filter f_auth       { facility(auth); }; # zimbra
    log { source(src); filter(f_auth); destination(zmlogger); }; # zimbra
    you'll want to change the destination zmlogger statement to be the address of your logger server. Ultimately the zmsyslogsetup script should populate this with the zmLogHostname from the config like it does for the standard syslog setup. Anyway, save this file now and then restart syslog as root. You don't really need to worry about zimbra's logrotate for the otehr machines as they will not be logging locally anyway and it doesn't matter if it's broke.

    You should now see status/smtp logs from the otehr hosts on your mailbox/logger server.

  2. #2
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Thanks for this post!

    We can confirm this also works with SUSE Linux Enterprise Server 10 SP2, which also installs syslog-ng by default.

    We recently expanded a single-server SLES10 ZCS install to a multi-server setup, and this post is what got our aggregated syslog server working for us.

    One suggestion if I may... if you edit /etc/syslog-ng/syslog-ng.conf by hand, SuSEconfig scripts won't modify it at all going forward. Possibly it is safer (or not) to update /etc/syslog-ng/syslog-ng.conf.in and then let SuSEconfig regenerate /etc/syslog-ng/syslog-ng.conf each time SuSEconfig is run.

    Hope that helps,
    Mark

  3. #3
    Join Date
    Jun 2008
    Posts
    6
    Rep Power
    7

    Default

    We started using syslog-ng on our Ubuntu8 box instead of syslogd. I successfully used this to reconfigure our box to work. I was getting the error "logger service not installed" in the zimbra admin interface even though it said it was the logger service was running.

    The only differences were:

    in all the syslog-ng config files instead of source(src) i used source(s_all) because that the source i had already configured to send to my network syslog server.

    In the logrotate file i used /sbin/syslog-ng instead of rcsyslog because on ubuntu8 the rcsyslog did not exist. This also has to be changed in the sudousers file.

    It has been running for a few days now and everything seems to be working properly.

  4. #4
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Is syslog-ng the default on a new 8.04 install like it is on SuSE Linux Enterprise Server 10?

    Can anyone respond as to the default logging for an RHEL5 install?

    If syslog-ng is becoming the new standard, perhaps that's the trigger for Zimbra to update their installation scripts to see which syslogging facility is installed and deploy the correct Zimbra syslog scripts accordingly.

    Mark

  5. #5
    Join Date
    Jun 2008
    Posts
    6
    Rep Power
    7

    Default

    no syslog-ng is not default on ubuntu8. I just like the interface in webmin and the added features. I run syslog-ng on all my servers for forwarding there logs to our central syslog server that runs splunk and syslog-ng. splunk takes care of all our logs except for snort which puts us over the 500mb/day limit for the free version of splunk. syslog-ng takes care of the snort log.

  6. #6
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by bsteimel View Post
    no syslog-ng is not default on ubuntu8. I just like the interface in webmin and the added features. I run syslog-ng on all my servers for forwarding there logs to our central syslog server that runs splunk and syslog-ng. splunk takes care of all our logs except for snort which puts us over the 500mb/day limit for the free version of splunk. syslog-ng takes care of the snort log.
    Ah, another Splunk fan! Awesome software...

    Thanks for the reply,
    Mark

  7. #7
    Join Date
    Jul 2006
    Location
    KL, Malaysia
    Posts
    123
    Rep Power
    9

    Default

    This guide save the day! Upgraded from 5.0.18 to 6.0.5, and the logs died on me for 2 days. Then i found this thread.

    Verified working on my SuSE 10.2.

  8. #8
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Updating this thread with info to cover ZCS 6.0.x and SLES10...

    Now that the old ZCS stats logging system has been replaced and there are now two Zimbra log files in /var/log, we found we needed to update /etc/syslog-ng/syslog.conf as follows.

    Also, the newly defined "zimbra_src" didn't work, so we just commented that out and replaced "zimbra_src" in the log lines with the SuSE-defined "src".

    Here's tail end of the /etc/syslog-ng/syslog.conf file we now use:

    Code:
    #source zimbra_src {  unix-stream("/dev/log"; keep-alive(yes); max-connections(20);); }; # zimbra
    #source zimbra_src { unix-stream("/dev/log" keep-alive(yes)  max-connections(20)); }; # zimbra
    filter zimbra_local0 { facility(local0); }; # zimbra
    filter zimbra_local1 { facility(local1); }; # zimbra
    filter zimbra_auth { facility(auth); }; # zimbra
    filter zimbra_mail { facility(mail); }; # zimbra
    destination zimbra_mail { file("/var/log/zimbra.log" owner("zimbra")); }; # zimbra
    destination zimbra_local1 { file("/var/log/zimbra-stats.log" owner("zimbra")); }; # zimbra
    destination zimbra_local0 { file("/var/log/zimbra.log" owner("zimbra")); }; # zimbra
    destination zimbra_auth { file("/var/log/zimbra.log" owner("zimbra")); }; # zimbra
    log { source(src); filter(zimbra_mail); destination(zimbra_mail); }; # zimbra
    log { source(src); filter(zimbra_local0); destination(zimbra_local0); }; # zimbra
    log { source(src); filter(zimbra_local1); destination(zimbra_local1); }; # zimbra
    log { source(src); filter(zimbra_auth); destination(zimbra_auth); }; # zimbra
    Hope that helps,
    Mark

  9. #9
    Join Date
    Oct 2010
    Posts
    2
    Rep Power
    5

    Default Zimbra audit log

    Hi

    I have read most of the forums, but there is not alot about forwarding the /opt/zimbra/log* through syslog-ng. I have tried most of the possible solutions presented,but none of them work.

    How do I configure the audit log to go through syslog-ng to a SIEM tool.

    Thanks

  10. #10
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by ahenneyza View Post
    How do I configure the audit log to go through syslog-ng to a SIEM tool.
    +"how to" +forward +log +"syslog-ng" - Yahoo! Search Results
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 01:42 AM
  2. Replies: 34
    Last Post: 12-05-2007, 11:29 PM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. Getting problems in FC4 while instalation
    By kitty_bhoo in forum Installation
    Replies: 13
    Last Post: 09-12-2006, 11:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •