SysLog Forwarding for XenServer
-
So I'm trying to figure this out, and I think I have it functional, but I honestly haven't the slightest clue if it's working as expected.
I've set up a CentOS VM, and followed this guide here to configure rsyslog.
Then according to this (a little less than 50% down the page) in XC, all I have to do is set the address for the remote log location.
On XS I do have
cat /var/log/kern.log Aug 11 12:21:42 xenserver-backup kernel: Kernel logging (proc) stopped. Aug 11 12:21:42 xenserver-backup kernel: Kernel log daemon terminating.In /var/lib/syslog.conf
I've got this
Shouldn't I have to make some changes (at least according to this guide here I should have to.)
But it doesn't appear I really need to.....Is that it, honestly?
-
I think you only have to make additional changes if you want to stop it logging lcoally as well.
P.S. Careful!
-
@BRRABill said in SysLog Forwarding for XenServer:
I think you only have to make additional changes if you want to stop it logging lcoally as well.
P.S. Careful!
Ok, but I want no logging locally, and more importantly, where on the syslog server do I find the logs, as I see nothing "new" or anything that matches what is in the file path for XS.
-
Isn't SysLog supposed to create a matching file path to what is getting pushed from my XS installation?
@scottalanmiller can you enlighten me with this? I've never worked with Syslog before.
-
@DustinB3403 said in SysLog Forwarding for XenServer:
Isn't SysLog supposed to create a matching file path to what is getting pushed from my XS installation?
@scottalanmiller can you enlighten me with this? I've never worked with Syslog before.
I honestly had nothing but trouble in doing anything with their logs.
But I'll be following along.
-
For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.
-
@travisdh1 said in SysLog Forwarding for XenServer:
For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.
Which I've done that, but where on the syslog VM would I actually see the logs being created? What should I modify in the /var/lib/syslog.conf file on XenServer?
-
@DustinB3403 said in SysLog Forwarding for XenServer:
@travisdh1 said in SysLog Forwarding for XenServer:
For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.
Which I've done that, but where on the syslog VM would I actually see the logs being created? What should I modify in the /var/lib/syslog.conf file on XenServer?
When I did that, I forwarded them to a VM running Splunk, and it showed right up.
-
@BRRABill said
When I did that, I forwarded them to a VM running Splunk, and it showed right up.
In fact, I've done so much, I forgot to re-enable that. Just did, and it showed right up again.
Just set the option in XC, and that was it. Immediately showed up in my Splunk install.
8/12/16 1:49:16.000 PM Aug 12 13:49:16 10.0.4.20 Aug 11 13:49:37 xenserver-test-reinstall xapi: [debug|xenserver-test-reinstall|33 dbflush [/var/lib/xcp/state.db]||sql] XML backend [/var/lib/xcp/state.db] -- Write buffer flushed. Time: 0.020193 host = 10.0.4.20 source = udp:514 sourcetype = linux_messages_syslog 8/12/16 1:49:14.000 PM Aug 12 13:49:14 10.0.4.20 Aug 11 13:49:35 xenserver-test-reinstall xcp-rrdd-xenpm: [debug|xenserver-test-reinstall|0 ||xcp-rrdd-xenpm] Found 4 states; with 2 CPUs this means 2 states per CPU host = 10.0.4.20 source = udp:514 sourcetype = linux_messages_syslog 8/12/16 1:49:14.000 PM Aug 12 13:49:14 10.0.4.20 Aug 11 13:49:35 xenserver-test-reinstall xcp-rrdd-xenpm: [debug|xenserver-test-reinstall|0 ||xcp-rrdd-xenpm] Process 3237 exited normally with code 0 -
So now I need a VM with splunk as well?
Or can I use my CentOS Rsyslog Vm as well?
-
@DustinB3403 said in SysLog Forwarding for XenServer:
@travisdh1 said in SysLog Forwarding for XenServer:
For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.
Which I've done that, but where on the syslog VM would I actually see the logs being created? What should I modify in the /var/lib/syslog.conf file on XenServer?
By default, everything goes in /var/log/messages. If you want to find things for just one host name
sudo cat /var/log/messages | grep 'hostname'I'm now understanding why @scottalanmiller likes binary logs instead of ascii. That messages file grows quickly.
-
@travisdh1 That does show a lot of information, which is scrolling very quickly!
I guess it works
-
So if that works, then I need to setup a easy way to view these messages..
Is splunk the go to solution for this?
-
@DustinB3403 said in SysLog Forwarding for XenServer:
So if that works, then I need to setup a easy way to view these messages..
Is splunk the go to solution for this?
I used Splunk because it is free and easy.
(For me.)I tried setting up a few other things, and gave up. (Like loggly.) I want to get back to other logging stuff some day, but it works for me.
-
Splunk is free only for very small sizes. Once your logs grow or you have more than a few servers you normally overrun the free part.
-
So what would be a good aggregation tool to be able to view the logs?
If Splunk stops at a tiny level..... I won't bother with it.
-
@DustinB3403 said in SysLog Forwarding for XenServer:
So what would be a good aggregation tool to be able to view the logs?
If Splunk stops at a tiny level..... I won't bother with it.
500MB per day.
-
@BRRABill said in SysLog Forwarding for XenServer:
@DustinB3403 said in SysLog Forwarding for XenServer:
So what would be a good aggregation tool to be able to view the logs?
If Splunk stops at a tiny level..... I won't bother with it.
500MB per day.
yeah that's worthless......
-
-
@DustinB3403 said
yeah that's worthless......
You'll want to avoid logg.ly before someone recommends it, then. That is 200MB per day.
