Upgrade the os of a syslog-ng or rsyslog server

Posted on

Upgrade the os of a syslog-ng or rsyslog server – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, rsyslog, linux-kernel, upgrade, syslog-ng.

I run a RHEL server with rsyslog to collect my network logs, and by receiving a security bulletin alert I have to upgrade this server.

What is the strategy to upgrade this machine, knowing that many other machine’s logs depend on this and on an OS update may be we are faced of many reboots ?

what is the comportment of other machine when rsyslog is not running.

NB: I add that the syslog client are appliances, some kind of SMG.
And As known is that the appliance are limited on configuration side and tunning parameters.

Solution :

in this case when you are maintaining your logserver, you have to find an alternative way to store your log messages. You can

  • install a new server and redirect log traffic to this server during the maintenance (depending on how you store your log messages, you might need to move the files from this server to the original)
  • have the clients store the messages during server maintenance: syslog-ng Open Source Edition 3.9 and supports diskbuffers that can store messages temporarily on disk if the server is not available. You could upgrade your clients to this version and configure disk buffering
  • If you don’t want or cannot upgrade your clients, you can combine the two previous options, and create a relay that collects the messages from the clients and forwards it to the server, but uses disk buffer during the server outage.

As always it depends…

The traditional syslog protocol, based on UDP, is best effort. If the remote syslog server is not able to receive the syslog events, the transmitting syslog server(s) can’t detect that and during that period all transmitted events are lost and no attempt is made to transmit them again.

If both your syslog-ng and all your transmitting syslog server(s) use the more advanced TCP protocol version, they can detect that the remote syslog server has broken the connection. Depending on the syslog daemon events might be buffered and transmitted later…

Leave a Reply

Your email address will not be published. Required fields are marked *