0

Considering the following architecture:

I have a laptop connected to a server over ethernet.
This laptop is configured to send log events with rsyslog on the server, the server is configured to accept those logs and store them in a file that can be used later with log exploitation software.

The problem is, the laptop can sometimes be disconnected to work on a remote location then can be plugged on several hours later. But I still want to transfer all the local event to the server after reconnection.

My idea at the moment is using the omrelp module for syslog and store the events locally in a disk queue, but I'm not so sure about the behaviour when the syslog server will be available again. Is there a timeout/limit after when the relp protocol will not resend the message? Or maybe it is just not appropriate for my case.

The other solution is creating custom scripts to reconciliate logs between client and server after the reconnection but I want to know if there is a better solution.

Improve this question
2
  • There are solutions, but they go in to the enterprise segment. Are you ready for this? Commented Feb 1, 2023 at 15:46
  • I have full control over the environment so if there is an acceptable solution I can take a look at it, can you explain a little more ? Commented Feb 2, 2023 at 9:00

2 Answers 2

Reset to default
1

Rsyslog provides a queueing mechanism for all actions. The queue stays in memory until too large, or on shutdown, when it moves to disk. You can use it with the normal tcp omfwd forwarding setup, without resorting to omrelp.

Read more about queues, and see the full queue options documentation, or look at the second RedHat example "25.14. Forwarding To a Single Server Using the New Syntax".

If you had legacy syntax like

*.* @@192.168.0.2:514

or the RainerScript version

action(type="omfwd" Target="192.168.0.2" Port="514" Protocol="tcp")

replace it with something like

action(type="omfwd" Target="192.168.0.2" Port="514" Protocol="tcp"
       queue.type="linkedlist"
       queue.filename="stufftoforward"
       action.resumeRetryCount="-1"
       queue.saveOnShutdown="on")
Improve this answer
1

One possible solution I have in mind is to use Splunk. You install on client(s) (laptop) Universal Forwarder, configure it to watch the logs, install on server Splunk server (indexer and search head), configure it and wait for data. If you are not connected client wait and when "see" the server it start forwarding the logs. Later you can do extensive analyses on the logs via graphic interface.

This solution can applied also on other machines (clients)

The negative points are:

  1. You have 500MB of logs per day, for more traffic you should buy license
  2. I am not sure how good Splunk handle logrotation. AFAIK if rotation happen during offline you may not get the logs from rotated file (/var/log/messages1 for example). Here is one answer about this subject.
Improve this answer
2
  • 1
    Isn't this like using a sledgehammer to crack a nut? Commented Mar 31, 2023 at 10:13
  • 1
    @eDonkey, depend of many details :) Commented Mar 31, 2023 at 10:26

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.