Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 Distributed Systems Administration Utilities User's Guide > Chapter 3 Consolidated Logging

Log Consolidation Configuration
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

The following sections describe how to configure log consolidation servers and log forwarding clients. Configuring a consolidation server is a multi-step process. The clog_wizard tool vastly simplifies the configuration process. If you choose not to use the wizard, the manual configuration steps are also described below.

Configuring Log Consolidation Server in Cross-Subnet Cluster Environments

In a cluster environment, if all the nodes are within the same subnet, then you can configure a server within that cluster environment as the log consolidation server.

However, in a cross-subnet cluster environment, the log consolidation server must be an external system, preferably a quorum server, outside the cross-subnet cluster. You can configure a cross-subnet cluster only as a log forwarding client, with an external system acting as the log consolidation master server. After you configure an external system as the log consolidation master server, the cross-subnet cluster nodes can be configured as log forwarding clients.

Using the Log Consolidation Wizard

The Log Consolidation Wizard is installed as /opt/dsau/sbin/clog_wizard. The wizard supports creating the following configurations:

  • a standalone log consolidation server

  • a highly-available log consolidation server for use within a single Serviceguard cluster (intra-cluster use only)

  • a highly-available log consolidation server for use by the local Serviceguard cluster and remote systems, including Serviceguard cluster clients

  • a standalone system forwarding logs to a remote log consolidation server

  • a Serviceguard cluster forwarding logs to a remote log consolidation server

Choose the appropriate configuration option.

The wizard detects whether you are running on a standalone system or a Serviceguard cluster.

IMPORTANT: When you run the clog_wizard on a cross-subnet cluster, the system prompts you to respond to the following question:

Do you want to configure log consolidation? (y/n) [y]:

If you respond with y, the system displays a message indicating that the log consolidation master server must be an external system outside the cross-subnet cluster, and prompts you to enter the hostname or the IP address of the log consolidation server.

If the log consolidation server is not configured outside the cross-subnet cluster, then you must configure an external system, preferably a quorum server, as the log consolidation master server and later proceed to run the clog_wizard on the cross-subnet cluster node.

When running the wizard on a Serviceguard cluster, the default is to set up clog as a highly available service (Serviceguard package). The administrator must provision the storage environment for the package and the required package IP address and DNS name registration. The wizard supports LVM storage configurations. Non-LVM configurations must be done manually. The required package information that the wizard requires is listed in the following table.

Table 3-3 Configuration Data for clog_wizard

Configuration DataExampleYour Value

LVM volume group

/dev/vgclog 

Logical volume

/dev/vgclog/lvol1 

Filesystem mount point

/clog 

Mount options

-o rw, largefiles

 

Filesystem type

vxfs 

Package IP Address (a registered DNS name)

192.10.25.12 

Package subnet

192.10.25.0 

Free ports for tcp and ssh

1775

 

 

Configuring a Log Consolidation Standalone Server with clog_wizard

To start the log consolidation wizard, issue the following command:

/opt/dsau/sbin/clog_wizard

For a standalone system, the wizard first displays introductory paragraphs explaining log consolidation and then asks:

Do you want to configure log consolidation? (y/n) [y]:

Answer yes (y) or press Enter. The next question is:

You can configure this system hostname as either a:
        - Consolidation server
        - Client that forwards logs to a remote consolidation server
Do you want to configure hostname as a Consolidation
Server? (y/n) [y]:

Answer yes (y). The wizard then prompts:

Enter the fully qualified directory where the consolidated logs should be stored []:

It is typically best to select a dedicated filesystem for the consolidated logs. Since consolidated logs like syslog can grow rapidly, HP also recommends that the filesystem be configured for “largefiles.” For this example, a filesystem named “/clog” is used.

Next, the wizard prompts for the client’s transport:

You can choose to have the clients forward logs to this consolidation server using either the UDP protocol or the TCP protocol (recommended).
Do you want to use the TCP protocol? (y/n) [y]:

Selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients. Whether the log consolidator allows TCP log messages exclusively, depends on whether the system is consolidating its own local syslog file. See below for details.

You need to choose a free port on this system for receiving logs. The port chosen should be free on all cluster nodes. Note: When configuring log consolidation on the clients, this port will need to be specified. Enter the TCP port to be used for receiving logs [1776]:

There is no reserved port for the TCP transport of syslog-ng. Any port that is not in use can be chosen. HP recommends that the administrator choose a port from the reserved range, that is, ports below 1024. Only privileged processes on a remote system can connect to privileged ports. This provides only a weak security guarantee because it implies that the administrator trusts the remote system. See the ssh section in the log forwarding client section for establishing stronger security guarantees “Manually Configuring a Standalone Log Forwarding Client”.

The /etc/services file documents the well-known reserved ports. When choosing a reserved port, the wizard will check both /etc/services and use “netstat -an” to check that the port is not in use.

Note that syslogd uses UDP port 514. TCP port 514 is reserved for use by remsh. remsh is not a secure protocol and is disabled at many sites. If remsh has been disabled on the consolidator, you could use TCP port 514. This has the advantage that it is a privileged port and it is the same as the UDP port number so it is easy to remember and manage. However, if the administrator changes the system to re-enable the use of remsh, syslog-ng would have to be reconfigured to use a new port and all the client systems that forward to this system would have to be updated.

Unlike UDP, TCP is a connection-oriented protocol. Each log forwarding client using TCP will have a connection to the log consolidation server. In order to avoid denial of service attacks, the default number of TCP connections accepted by syslog-ng is limited to 10 connections. For larger numbers of clients, edit the consolidation server’s /etc/syslog-ng.conf.server file. Find the TCP source line in the file:

source s_syslog_tcp { tcp(port(tcp_port) keep-alive(yes));};

and add a max-connections() attribute as follows:

source s_syslog_tcp { tcp(port(tcp_port) keep-alive(yes) max-connections(N)); };

where N is the expected number of clients.

Next, the wizard prompts for which local logs should be consolidated:

Log files that reside on this system can be consolidated.

Would you like to consolidate this system's syslogs? (y/n) [y]:

Answering yes places this log consolidation system’s own local syslog data in the consolidated log along with the client system's syslog data. To preserve the priority and facility of syslog entries, UDP local loopback is used, and syslog is configured to also forward entries to its local UDP port 514. syslog-ng is configured to read from this port. Thus, consolidating this system’s syslogs allows clients to also connect to this log consolidation server via UDP port 514, even if TCP transport is specified earlier. If you choose not to consolidate this system’s syslogs, then choosing a TCP transport earlier will require that all log forwarding clients be configured to use the TCP transport. The wizard displays a summary of all the configuration choices made by the administrator:

Summary of Log Consolidation Configuration:        You have chosen to configure hostname as a Log        Consolidation Server.        Logs will be forwarded from the remote consolidation        clients to local port 1776 using the TCP protocol.        The consolidated logs will be stored under directory:                /clog        The following logs from the local system will be        consolidated:               Syslog

If these choices are correct, continue:

Do you want to continue? (y/n) [y]: y

The wizard displays its progress by describing which files are being modified and warns that Ctrl/C is disabled until configuration is done. For a complete description of the modified files, refer to “Manually Configuring Log Consolidation”.

Copying files that will be modified by the wizard to /var/opt/dsau/root_tmp/clog. These files will be used to restore the system to its current log consolidation configuration, in the event of a failure. Configuring hostname as a log consolidation server. Creating the /etc/syslog-ng.conf.server configuration file. Creating a symbolic link from /etc/syslog-ng.conf to the /etc/syslog-ng.conf.server configuration file. Creating /etc/rc.config.d/syslog-ng, the log consolidation configuration file. Updating the syslog configuration: Updating the /etc/rc.config.d/syslogd file to add   -N SYSLOGD_OPTS. This stops syslogd from listening to UDP port 514. Updating the /etc/syslog.conf file for UDP local loopback. Starting syslogd for the configuration changes to take effect. Registering the log consolidation ports in the /etc/services file. Starting syslog-ng. Successfully configured hostname as a log consolidation server.

Configuring a Serviceguard Cluster as a Log Consolidation Server with clog_wizard

When running the clog_wizard (see clog_wizard(1M)) in a cluster, first make sure that all the cluster members are up and available. The wizard needs to perform configuration operations on each member. It only needs to be run once, from any member of the cluster. If you run the wizard more than once, additional prompts may appear.

The wizard will set up and create a Serviceguard package for the consolidated logging service. Make sure that this cluster’s MAX_CONFIGURED_PACKAGES value can accommodate the additional package. For more information on this setting, please refer to the Managing Serviceguard manual which is part of the Serviceguard documentation set.

The wizard first displays introductory paragraphs explaining log consolidation (wizard output may wrap differently from what is shown here):

Consolidated logging (clog) lets you combine the log entries from multiple remote systems into a single file. This feature is used to consolidate syslog data from several systems. Each remote system continues to write entries to its local syslog.log and additionally forwards the entries to the consolidating host. The systems forwarding log entries are consolidation clients. The system to which they send entries is the consolidation server. In addition to syslog data, clog can also consolidate arbitrary text log files. In a Serviceguard cluster, clog can help you automate package log file consolidation. Log consolidation is especially useful in a Serviceguard cluster, because it enables you to look at a single consolidated file instead of the per-member logs. The clog wizard needs to be run only once in the cluster and not on each cluster member. All cluster members should be up when running this wizard. clog_wizard will prompt you for information to configure log file consolidation. Some questions display a default answer in square brackets. If you press <Return/Enter>, the clog_wizard uses the default answer. Press “Enter” to continue... Press Enter. Querying the system cluster_member for current status, one moment...

The next prompt is:

You can configure this cluster clustername as either a: - Consolidation server - Client that forwards logs to a remote consolidation server Do you want to configure cluster_member as a Consolidation Server? (y/n) [y]: To configure this cluster as a log consolidation server, the wizard will create a Serviceguard package called “clog”. The package requires the following: - Dedicated storage for failover between cluster members. The consolidated logs will be stored here. This includes an LVM volume group, LVM logical volume, a filesystem, filesystem mount point, and the desired mount options. this storage infrastructure needs to be configured cluster-wide before proceeding. - An IP address and subnet address pair for the package. IPv4 or IPv6 addresses can be used. The IP address should be registered in DNS, if this cluster will consolidate logs from remote clients. This should be appropriately configured on each cluster member before proceeding with the consolidation server configuration.

Answer yes (y).

In a cluster, the wizard configures syslog-ng to be highly available using a Serviceguard package. For consolidated logging, the package name is clog. The LVM storage configuration and network configuration for the package must be set up before continuing or before running the wizard. For additional details, refer to the section “Creating a Storage Infrastructure with LVM” in the chapter “Building an HA Cluster Configuration,” in the Managing Serviceguard manual.

NOTE: The wizard only supports creating packages based on LVM volume groups. When using CFS or VxVM, manual configuration is required. See the section “Manually Configuring Log Consolidation” for details.

The wizard prompts for the following, all of which should have already been configured:

  1. LVM volume group name (for example, /dev/vgclog).

  2. Logical volume in the volume group (for example, /dev/vgclog/lvol1).

  3. The filesystem’s mount point (for example, /clog).

  4. The filesystem’s mount options (for example, –o rw,largefiles). The mount options are used verbatim in the Service package control script’s FS_MOUNT_OPT[0] field. Note that the mount options must agree with the filesystem you created on the logical volume. For example, if the filesystem was created with largefiles support, the largefiles mount option should be specified. Since consolidated logs tend to be large, it is recommended to configure VxFS filesystems with the largefiles option.

  5. The filesystem type (for example, vxfs).

  6. The package IP address. This should also be a registered DNS name so the log forwarding is easy to configure on client systems.

  7. The package subnet. (Use the netstat -i command to determine the proper subnet.)

Next, the wizard prompts for the clients' transport.

You can choose to have the clients forward logs to this consolidation server using either the UDP or the TCP protocol (recommended). Do you want to use the TCP protocol? (y/n) [y]: y You need to choose a free port on this cluster for receiving logs. The port chosen should be free on all cluster nodes. Note: When configuring log consolidation on the clients, this port will need to be specified. Enter the TCP port to be used for receiving logs []: 1776

Note that selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients. Whether the log consolidator allows TCP log messages exclusively depends on whether the system is consolidating its own local syslog file. See below for details.

When answering Yes to TCP, you must select a free TCP port. This port must be free on all cluster members. See the section “Configuring a Log Forwarding Client Using clog_wizard” using the clog_wizard for details on choosing a TCP port.

Next the wizard prompts for which local logs should be consolidated:

Log files that reside on this cluster can be consolidated. Would you like to consolidate this cluster's syslogs? (y/n) [y]: Would you like to consolidate this cluster's package logs? (y/n) [y]:

In a Serviceguard cluster, you can consolidate all the member-specific syslog files into a single consolidated syslog containing syslog.log, mail.log and syslog-ng.log. Each member-specific package log can also be consolidated.

Note that if you choose to consolidate the cluster’s syslogs, the remote clients can also forward UDP syslog messages to the cluster, regardless of the answer to the “Do you want to use the TCP protocol” question. If you choose not to consolidate this cluster’s syslogs, then choosing a TCP transport earlier requires that all log forwarding clients be configured to use the TCP transport.

The consolidated logs are placed in the filesystem associated with the package. Using the example above, the consolidated syslog.log would be located here:

/clog/syslog/syslog.log,mail.log,syslog-ng.log

The consolidated package logs would be located here:

/clog/package/package1.log,package2.log, ...,packageN.log

The wizard now has all the data it needs to configure the consolidated logging package. It displays a summary confirmation screen and then performs the configuration:

Summary of Log Consolidation Configuration:        You have chosen to configure clustername as a Log Consolidation Server.        Logs will be forwarded from the remote consolidation clients to local port port_number using the TCP protocol.        For high availability the Serviceguard package "clog" will be        configured with the following attributes:              Volume Group: /dev/vgclog              Logical Volume: /dev/vgclog/lvol1              Filesystem: /clog              Mount Options: -o rw,largefiles              Filesystem Type: vxfs              IP Address: 192.10.25.12              Subnet: 192.10.25.0        The following logs on this cluster will be consolidated:              Syslog              Serviceguard package logs Do you want to continue? (y/n) [y]: ******* WARNING!!!! ******** To protect against possible corruption of sensitive configuration files, control-c has been disabled for the remainder of this configuration. Copying files that will be modified by the wizard to /var/opt/dsau/root_tmp/clog on each cluster node. These files will be used to restore the cluster to its current log consolidation configuration, in the event of a failure. Configuring cluster_member as a log consolidation server. The configuration will be done on all cluster nodes. It will take a few minutes.... Creating the /etc/syslog-ng.conf.server configuration file. Creating the /etc/syslog-ng.conf.client configuration file. Creating a symbolic link from /etc/syslog-ng.conf to the /etc/syslog-ng.conf.client configuration file. [Halting the "clog" Serviceguard package if it is up.]
Creating /etc/rc.config.d/syslog-ng, the log consolidation configuration file. Updating the syslog configuration:    Updating the /etc/rc.config.d/syslogd file to add -N to SYSLOGD_OPTS. This stops syslogd from listening to UDP port 514.    Updating the /etc/syslog.conf file for UDP local loopback.    Starting syslogd for the configuration changes to take effect.
Registering the log consolidation ports in the /etc/services file. Starting syslog-ng. Setting up the log consolidation server to be highly available. Configuring the "clog" Serviceguard package. Applying the "clog" Serviceguard package configuration file. This will take a moment. Starting the "clog" Serviceguard package. This will take a few moments... The "clog" Serviceguard package has been started on cluster_member. Successfully created the "clog" Serviceguard package. Successfully configured cluster_member as a log consolidation server.

Cluster Configuration Notes for clog

In a Serviceguard cluster, the adoptive node for the clog package performs the log consolidation functions. All the other cluster members participate as log forwarding clients and send log messages to the relocatable IP address of the clog package.

DSAU maintains two configuration files that control whether the instance of syslog-ng on a particular cluster member operates as a consolidation server or a log forwarding client: /etc/syslog-ng.conf.server and /etc/syslog-ng.conf.client. The symbolic link /etc/syslog-ng.conf points to one of the configuration files. When the cluster is booted, all the members start as log forwarding clients with syslog-ng running on each member. The /sbin/init.d/syslog-ng startup script sets the symbolic link /etc/syslog-ng.conf to point to /etc/syslog-ng.conf.client.

When the clog package starts, the adoptive node restarts that instance of syslog-ng as a log consolidation server instance. The package script resets the /etc/syslog-ng.conf symbolic link to point to /etc/syslog-ng.conf.server. If the clog package is halted, the symlink is changed to point to /etc/syslog-ng.conf.client and the syslog-ng instance on that member restarted. Note that when a cluster is a log consolidation server, and the package is down, no log consolidation occurs and forwarded log messages are lost.

Cluster members can forward log messages to the consolidator using either UDP or TCP. Within a Serviceguard cluster, ssh port forwarding is not used. ssh port forwarding can be used to secure the log traffic forwarded by remote clients outside the cluster. For additional information, refer to “ssh Port Forwarding”.

Serviceguard Automation Features

The Distributed Systems Administration Utilities require Serviceguard 11.17 or later. With Serviceguard 11.17 or later, when members are added to or deleted from cluster or packages are added and deleted, the DSAU consolidated logging tools will automatically take the appropriate configuration actions. Specifically:

  • When adding a member to the cluster, the new member is automatically configured to participate in log consolidation according to the cluster’s configuration. The following files are automatically configured on the added member:

    • /etc/rc.config.d/syslog-ng

    • /etc/rc.config.d/syslogd

    • /etc/syslog.conf

    • /etc/syslog-ng.conf.client, /etc/syslog-ng.conf.server, and the /etc/syslog-ng.conf symbolic link

    • /etc/services

  • When deleting a member from a cluster:

    • The member is still configured as a log-forwarding client and will continue to forward syslog messages to the cluster if that option had been chosen during the initial run of the clog_wizard. If the system should no longer forward log messages to the cluster, rerun the wizard to configure the system to forward to a different consolidator, or disable log consolidation entirely. Refer to “Disabling Log Consolidation” for additional information.

    • The package logs on the deleted member are still monitored until a reboot. Since this member is no longer part of the cluster, the package logs will not be active.

  • When adding or deleting a package, the following automated actions occur:

    • The package is added to or deleted from /etc/syslog-ng.conf.server cluster-wide. There is a reserved section of these files dedicated for use by the DSAU tools. The configuration stanzas added in this section direct syslog-ng to filter package log messages into the appropriate consolidated package logs.

    • The clog_tail log monitor adds or deletes the package log file from its list of files to monitor.

Minimizing Message Loss During Failover

When there is a failure on the adoptive node, it takes a finite amount of time for the clog package to fail over to another cluster member. The longer this failover time, the more likely that messages could be lost from the consolidated log. Use the following guidelines to minimize message loss during failover.

  • Configure clients to use the TCP transport instead of the UDP transport. UDP messages will be lost unconditionally when the package is down. The TCP protocol contains retry mechanisms, congestion control, and so on, that help minimize message loss.

  • syslog-ng can buffer TCP messages on the client side. The number of messages buffered is controlled by the syslog-ng log_fifo_size() setting. This sets an upper limit on the number of messages that can be buffered. The default/etc/syslog-ng.conf() file sets log_fifo_size to 10000.

  • syslog-ng has a time_reopen() option to configure the time to wait before a dead connection is reestablished. The /etc/syslog-ng.conf file has time_reopen() set to 10 seconds.

  • Serviceguard offers various configuration options to improve failover times such as HEARTBEAT_INTERVAL and NODE_TIMEOUT. Serviceguard Extension for Faster Failover (SGeFF) is also available to optimize failover times for two-node clusters. Since syslog-ng itself starts quickly, SGeFF is an ideal candidate for improving failover times and minimizing message loss.

Configuring a Log Forwarding Client Using clog_wizard

There are two ways to configure a log forwarding client: as a standalone machine or as a Serviceguard cluster. When configuring a cluster as a log forwarding client, all the members of the cluster will be configured identically as clients. The wizard asks the same questions and performs the same configuration actions for single systems and for clusters. The examples below show use of the clog wizard on a Serviceguard cluster. After starting clog_wizard, answer “yes” to the following question:

Do you want to configure log consolidation? (y/n) [y]:

or press Enter. The next question is:

You can configure this cluster cluster_member as either a: - Consolidation server - Client that forwards logs to a remote consolidation server Do you want to configure cluster_member as a Consolidation Server? (y/n) [y]: n

Answer “No” here. At this point you are configuring a log forwarding client. The wizard displays the following:

You now need to specify which system will be the consolidator. If the consolidator is a Serviceguard cluster, specify the IP address of the "clog" Serviceguard package for this question. The "clog" package makes log consolidation highly available on the consolidator. The consolidation server must already be configured. Enter the hostname or IP address of the consolidator []: clog.usa.xyz.com

After entering the hostname or IP address of the log consolidation server, the wizard asks if you want to use the TCP transport when forwarding log messages:

You can choose to forward logs to the consolidator using either the UDP protocol or the TCP protocol (recommended). Do you want to use the TCP protocol? (y/n) [y]:

Standard syslogd forwards messages using the UDP protocol. UDP is a high-performance, broadcast-oriented protocol with no flow control or message delivery verification. syslog-ng supports syslogd’s UDP protocol and a TCP protocol. The TCP transport offers both flow control and message delivery checks. However, since TCP is a connection-oriented protocol, it requires additional resources on the log consolidation server. The consolidation server’s max-connections() attribute must be set according to the maximum number of expected clients. Refer to the section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of the max-connections() setting.

If you answer “yes” to using TCP, the next question asks for the TCP port to forward messages to:

Ask the administrator of the consolidation server which TCP port was configured for receiving logs. Enter the TCP port configured on the CONSOLIDATOR for receiving logs []: 1776

You must use the TCP port selected by the system administrator of the log consolidation server. If the clog_wizard was used to configure the server, the port number is saved in /etc/rc.config.d/syslog-ng as the variable CLOG_TCP_PORT. In this example, TCP port 1776 was used. If you answer “yes” to the TCP question, the following question is displayed:

The TCP protocol can be used together with Secure Shell port forwarding to enhance security. Each member of this cluster must already have non interactive Secure Shell Authentication set up with the consolidator. You can use the tool /opt/dsau/bin/csshsetup to configure non interactive Secure Shell Authentication. Do you want to configure Secure Shell port forwarding? (y/n) [y]:

Choose yes in order to use ssh port forwarding. This will encrypt all the traffic sent from this local log forwarding client to the log consolidator.

NOTE: A special ssh security configuration is required on the server when a Serviceguard cluster is the log consolidation server. For details, refer to “ssh Port Forwarding”.

ssh port forwarding requires an additional free TCP port on the local client system:

You need to choose a free port on this cluster for ssh port forwarding. The port chosen should be free on all cluster nodes.

Enter the ssh port to be used for port forwarding []: 1775

The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to “Configuring a Log Consolidation Standalone Server with clog_wizard”. In this example, the local port 1775 was used. For a Serviceguard cluster log forwarding client, the cluster’s syslogs and package logs can be forwarded to the log consolidation server. For a standalone system, the wizard asks only about forwarding syslog messages:

Log files that reside on this cluster can be forwarded to the consolidator. Would you like to forward this cluster's syslogs? (y/n) [y]: Would you like to forward this cluster's package logs? (y/n) [y]:

When forwarding a cluster’s package logs, manual configuration is required on the consolidation server in order to add the syslog-ng filtering lines to cause these package logs to be consolidated into their own unique files. See “Manually Configuring a Serviceguard Cluster as a Log Forwarding Client” for details.

After all the questions have been answered, the clog_wizard displays the following summary screen:

Summary of Log Consolidation Configuration:        You have chosen to configure clustername as a Log Consolidation Client.        Logs will be forwarded to the remote consolidation server        clog.usa.xyz.com on port 1776 using the TCP protocol.        The TCP protocol will be used together with Secure Shell        Port Forwarding using port 1775, for added security.        The following logs will be forwarded for consolidation:             Syslog             Serviceguard package logs Do you want to continue? (y/n) [y]:

Confirm your answers with a “yes” response and the wizard summarizes the configuration steps that it performs:

Copying files that will be modified by the wizard to /var/opt/dsau/root_tmp/clog on each cluster node. These files will be used to restore the cluster to its current log consolidation configuration, in the event of a failure. Configuring clustername as a log consolidation client. The configuration will be done on all cluster nodes. It will take a few minutes.... Creating the /etc/syslog-ng.conf.client configuration file. Creating a symbolic link from /etc/syslog-ng.conf to the /etc/syslog-ng.conf.client configuration file.
Creating /etc/rc.config.d/syslog-ng, the log consolidation configuration file. Updating the syslog configuration: Updating the /etc/rc.config.d/syslogd file to add -N to SYSLOGD_OPTS. This stops syslogd from listening to UDP port 514. Updating the /etc/syslog.conf file for UDP local loopback. Starting syslogd for the configuration changes to take effect.
Registering the log consolidation ports in the /etc/services file. Starting syslog-ng. Successfully configured clustername as a log consolidation client.

For additional information on the configuration actions performed by the clog_wizard, refer to “Manually Configuring a Serviceguard Cluster as a Log Consolidation Server”.

Manually Configuring Log Consolidation

If you choose not to use the Consolidated Logging Wizard, use the following sections for the manual steps required to configure a log consolidation server and log forwarding clients. Because there are many steps required to set up clients and servers, HP recommends using the clog_wizard.

Manual configuration is required for the following cases:

  • When a cluster is a log forwarding client and forwarding package logs, manual configuration is required on the consolidation server (standalone or cluster) to filter the package logs appropriately.

  • When configuring a Serviceguard Cluster as a log consolidator and you require:

    • Special customization of the clog package

    • Use of VxVM instead of LVM

    • Use of the Cluster File System (CFS)

It is often simplest to run the wizard and let it complete the basic configuration and then customize, starting from that point.

The following sections describe the steps required to configure log consolidation systems manually. The systems you can configure manually are:

  • Standalone log consolidation server

  • Serviceguard cluster log consolidation server

Manually Configuring a Standalone Log Consolidation Server

Start by configuring the standard syslogd to co-exist with a syslog-ng consolidator. By default, syslogd listens for incoming log messages on UDP port 514. If you want to accept UDP syslog messages from remote clients or consolidate this server’s local syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch, which prevents syslogd from listening on port 514. For example:

SYSLOGD_OPTS=“-D -N”

If you want the local syslog messages from the log consolidation server itself to be part of the consolidated syslog, edit the consolidator’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as an example, add the following lines:

mail.debug                @log-consolidation-server *.info;mail.none          @log-consolidation-server

where log-consolidation-server is the fully qualified domain name of the consolidation server. The name must be fully qualified or syslogd will not forward the messages properly.

NOTE: There must be a <tab> before each @ sign.

If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

syslogd must be stopped and restarted for these changes to take effect, using the following commands:

# /sbin/init.d/syslogd stop

# /sbin/init.d/syslogd start

With syslogd appropriately configured, now configure syslog-ng.

Start with the same syslog-ng.conf templates used by the clog_wizard. Copy /opt/dsau/share/clog/templates/syslog-ng.conf.server.template to /etc/syslog-ng.conf.server. This file has tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

Replace the tokens as follows:

  • When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:

    source s_syslog_udp { udp(port(514)); };

    Replace the <%UDP_LOOPBACK_LOG%> token with:

    log { source(s_syslog_udp); destination(d_syslog_tcp); };

    This causes the syslog-ng consolidator to read the local syslogd’s UDP messages and send them to syslog-ng on the local TCP port. Optionally, the destination could be set to be the local consolidation file directly, (destination(d_syslog) in this default template), but this configures the consolidation server client components in the same manner as a remote client. In other words, when the consolidator is a client of itself, it’s configured identically to remote clients.

    If using the UDP protocol or not consolidating the local syslogs of this server, delete the<%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

  • Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported if the consolidation of the server’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.

  • For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and<%KEEP_ALIVE%> tokens with appropriate values, as follows:

    source s_syslog_<%TYPE%> { <%TYPE%>(port(<%PORT%>) <%KEEP_ALIVE%>); };

    For TCP, the port needs to be an available TCP port. See section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of selecting an available port. For UDP, use port 514.

    <%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with “keep-alive(yes) ” which instructs syslog-ng to keep connections open when it is rereading its configuration file. If using UDP, delete this token.

  • For the “destination d_syslog_<%TYPE%>” line, replace the <%IP%> and<%PORT%> tokens:

    destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };

    For example, for TCP: 

    destination d_syslog_tcp { tcp(“local_hostname” port(1776)); };

    where the <%IP%> is replaced by the server’s IP address or local hostname and the <%PORT%> is replaced by the selected TCP port number.

    For UDP:

    destination d_syslog_udp { udp(“local_hostname” port(514)); }
    where <%IP%> is replaced by the server’s IP address or local hostname and the <%PORT%> token is replaced by 514, the standard syslog UDP port.

  • Replace the<%FS%> token with the filesystem or directory where the consolidated logs will be kept. For example,

    destination d_syslog { file(“<%FS%>/syslog/syslog.log”); };

    becomes:

    destination d_syslog { file(“/clog/syslog/syslog.log”); };

    Make sure that this directory exists or the appropriate filesystem is mounted. Since consolidated logs can grow quite large, HP recommends that this filesystem use the largefiles option and that there is sufficient room for growth.

  • When using TCP, record the port number you choose above in the /etc/services file. For example, add the line:

    clog_tcp 1776/tcp # Consolidated logging with syslog-ng

  • Create the following symbolic link:

    ln -sf /etc/syslog-ng.conf.server /etc/syslog-ng.conf

  • The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    • Change the CLOG_CONFIGURED line to:

      CLOG_CONFIGURED=1

    • Add the following lines:

      CLOG_CONSOLIDATOR=1
CLOG_FS=directory where the consolidated logs will be stored

      If using the TCP protocol, add:

      CLOG_TCP=1 CLOG_TCP_PORT=tcp port chosen for log consolidation

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise add:

      CLOG_SYSLOG=0

      For a standalone consolidator, add the following:

      CLOG_SYSTEM_LOG_CONSOLIDATION_DIR=<consolidated log directory/syslog>
CLOG_SERVICEGUARD_PACKAGE_LOG_CONSOLIDATION_DIR=<consolidated log directory/packages>

    • Add the following two values that are used by the System Log Viewer:

      CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  • Test the configuration by performing the following steps:

    1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.server as described previously.

    2. Start syslog-ng using /sbin/init.d/syslog-ng start.

    3. If consolidating the local syslogs, use logger test-message and make sure this message is in the consolidated syslog.log. If you are not consolidating the local logs, use the logger command from a log forwarding client. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. syslogd by default suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Manually Configuring a Serviceguard Cluster as a Log Consolidation Server

Configuring a Serviceguard cluster as a log consolidation server is similar to the steps for a single system. All cluster members must be up and accessible before proceeding.

Create the configuration files described below on every cluster member. The simplest approach is to configure one member completely and then copy each configuration file cluster-wide. The cexec and ccp tools can simplify replicating changes cluster-wide.

For a cluster configuration, syslog-ng is configured as a package so the log consolidation service is highly available. The package must be named clog and the package configuration files require the following information:

  • Registered IP address and DNS name for the clog package

  • The subnet associated with that IP address

  • Cluster-wide storage configuration using LVM or VxVM

  • A filesystem configured on the cluster-wide storage, that can be VxFS or CFS. Since consolidated logs grow rapidly, HP recommends that the filesystem be configured using the largefiles option and that there is room for growth.

Complete IP address registration and storage/filesystem configuration before continuing. For additional information on creating the Serviceguard storage/filesystem configuration for a package, refer to the Managing Serviceguard manual.

For an overview of how to configure consolidated logging in a cluster, see the section “Cluster Configuration Notes for clog”.

  1. If you want the local syslog messages for the cluster itself to be part of the consolidated syslog, complete the following tasks:

    1. Start by configuring the standard syslogd to co-exist with a syslog-ng consolidator. By default, syslogd listens for incoming log messages on UDP port 514. To use the UDP protocol or consolidate this server’s local syslogs, syslog-ng must listen on UDP port 514. Edit/etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the -N switch to prevent syslogd from listening on port 514. For example:

      SYSLOGD_OPTS=“-D -N”

    2. Edit the/etc/syslog.conf file to forward log messages to UDP port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug              @log-consolidation-server *.info;mail.none        @log-consolidation-server

      where log-consolidation-server is the fully qualified domain name of the local cluster member. The name must be fully qualified or syslogd will not forward messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. Since /etc/rc.config.d/syslogd is generic, it can be distributed cluster-wide using ccp, as follows:

      # cpp /etc/rc.config.d/syslogd /etc/rc.config.d/

    4. The /etc/syslog.conf is specific to each member and the edits described previously must be performed on each cluster member.

    5. Once you have made the above changes on each cluster member, syslogd must be restarted for these changes to take effect. Use cexec to do this on all members of the cluster:

      # cexec “/sbin/init.d/syslogd stop;/sbin/init.d/syslogd start”

  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard. On one cluster member, copy

    /opt/dsau/share/clog/templates/syslog-ng.conf.server.template

    to /etc/syslog-ng.conf.server. Then copy an 

    /opt/dsau/share/clog/templates/syslog-ng.conf.client.template

    to /etc/syslog-ng.conf.client. Both files have tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.server as follows:

    1. When using the TCP protocol and configuring the consolidation server to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with: 

      log { source(s_syslog_udp); destination(d_syslog_tcp); };

      This causes the syslog-ng consolidator to read the local syslogd’s UDP messages and send them to syslog-ng on the local TCP port. Optionally, the destination could be set to be the local consolidation file directly (destination(d_syslog) in this default template), but the above configuration sets the consolidation server client components in the same manner as a remote client. In other words, when the consolidator is a client of itself, it is configured identically to remote clients.

      If using the UDP protocol or not consolidating the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace the <%TYPE%> tokens with either udp or tcp depending on the desired log transport to support. Note that even when using TCP clients, UDP clients are also supported, if the consolidation of the cluster’s local syslogs is configured. There are multiple lines with the <%TYPE%> token and all must be edited appropriately.

    3. For the “source s_syslog_<%TYPE%>” line, replace the <%PORT%> and <%KEEP_ALIVE%> tokens with appropriate values:

      source s_syslog_<%TYPE%> {<%TYPE%>(port(<%PORT%>)<%KEEP_ALIVE%>); };

      For TCP, the port needs to be an available TCP port on all cluster members. See the section “Configuring a Log Consolidation Standalone Server with clog_wizard” for a discussion of selecting an available port. For UDP, use port 514.

      <%KEEP_ALIVE%> applies only when selecting TCP as the log transport. Replace this token with “keep-alive(yes)” which instructs syslog-ng to keep connections open when it is rereading its configuration file. If using UDP, delete this token.

    4. For the destination d_syslog_<%TYPE%> line, replace the <%IP%> and <%PORT%> tokens:

      destination d_syslog_<%TYPE%> { <%TYPE%>(“<%IP%>” port(<%PORT%>)); };

      For example, for TCP:

      destination d_syslog_tcp { tcp(“package IP” port(1776)); };

      where the <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> is replaced by the selected TCP port number.

      For UDP:

      destination d_syslog_udp { udp(“package IP” port(514)); };

      where <%IP%> is replaced by the clog package IP address or hostname and the <%PORT%> token is replaced by 514, the standard syslog UDP port.

    5. Replace the <%FS%> token with the filesystem or directory where the consolidated logs will be kept. This filesystem/directory is the one managed by the Serviceguard package. For example:

      destination d_syslog { file(“<%FS%>/syslog/syslog.log”); };

      becomes:

      destination d_syslog { file(“/clog/syslog/syslog.log”); };

      Make sure that this filesystem mount point exists cluster-wide and that the storage fails over correctly cluster-wide. Since consolidated logs can grow quite large, HP recommends that this filesystem use the largefiles option and that there is sufficient room for growth.

      For additional information on creating the Serviceguard storage/filesystem configuration for a package, refer to the Managing Serviceguard manual.

  3. Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the cluster to consolidate its own syslogs, replace the <%UDP_LOOPBACK_SOURCE%> token with:

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with:

      log { source(s_syslog_udp); destination(d_syslog_<type>); };

      where <type> is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server.

      If you do not want to consolidate the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the <%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line: “destination d_syslog_<%TYPE%>{ <%TYPE%>(“<%IP%>”port(<%PORT>%>)); };.

      Replace <%IP%> with the IP address of the clog package. For TCP, replace <%PORT%> with the TCP port used for log forwarding (selected above). For UDP, replace <%PORT%> with 514, the standard UDP port.

  4. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to:

      CLOG_CONFIGURED=1

    2. Add the following lines:

      CLOG_CONSOLIDATOR=1

      If using the TCP protocol, add:

      CLOG_TCP=1
CLOG_TCP_PORT=tcp port chosen for log consolidation

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise, add:

      CLOG_SYSLOG=0

      If consolidating package logs of this cluster, add:

      CLOG_PACKAGE=1

      otherwise

      CLOG_PACKAGE=0

    3. Add the following two values which are used by the System Log Viewer:

      CLOG_LAYOUTS_DIR=/var/opt/dsau/layouts CLOG_ADDITIONAL_LOG_DIRS[0]=/var/adm/syslog

  5. All the files edited thus far need to be distributed cluster-wide:

    # ccp /etc/syslog-ng.conf.server /etc/ # ccp /etc/syslog-ng.conf.client /etc/ # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/

  6. When using TCP, record the port number you chose above in the /etc/services file. For example, add the line:

    clog_tcp 1776/tcp # Consolidated logging with syslog-ng

    Add this line to /etc/services for each member of the cluster.

Creating the clog Package

To create the consolidated logging or clog package, start by copying the package templates:

# mkdir /etc/cmcluster/clog
# cd /etc/cmcluster/clog
# cp /opt/dsau/share/serviceguard/templates/clog.conf.template clog.conf
# cp /opt/dsau/share/serviceguard/templates/clog.script.template clog
# chmod +x clog

Both the clog.conf package configuration file and the clog package control script need to be edited to replace marker tokens with the correct values.

For clog.conf, there is only one token to replace, <%SG_PKG_SUBNET%>. This identifies the package’s subnet. It is the same as the subnet value in the package control script. Use netstat -i to help identify the proper subnet for the package’s IP address.

For the package control script, clog, make the changes described below.

The default script template assumes you are using an LVM-based storage configuration. Replace the volume group/filesystem related tokens as appropriate for the package’s storage configuration as follows:

  1. Find the line “VG[0]=“<%SG_PKG_VOL_GRP%>”” and replace the token with the name of the VM volume group for the package. For example:

    VG[0]=“vgclog”

    If using VxVM, comment out the LVM Volume Group line VG[0]=”<%SG_PKG_VOL_GRP%>”. Uncomment the line “VXVM_DG[0]=” and put in the VxVM Disk Group.

  2. Find the line “LV[0]=“<%SG_PKG_LOG_VOL%>”” and replace the token with the full name of the logical volume. For example:

    LV[0]=“/dev/vgclog/lvol1”

  3. Find the line “FS[0]=“<%SG_PKG_FS%>”” and replace the token with the name of the filesystem created for this package. For example:

    FS[0]=“/clog”

    All the consolidated logs will reside on this filesystem. The specific location for the consolidated package logs and the consolidated syslogs is specified in the /etc/syslog-ng.conf.server file. Using /clog as the example, the default locations based on the template /etc/syslog-ng.conf.server file are:

    /clog/syslog/syslog.log /clog/packages/package name.log

  4. Find the line “FS_MOUNT_OPT[0]=“<%SG_PKG_MNT_OPT%>”:” and replace the token with the filesystem’s mount options. For example:

    FS_MOUNT_OPT[0]=-o rw,largefiles

  5. Find the line “FS_TYPE[0]=“<%SG_PKG_FS_TYPE%>”” and replace the token with the filesystem type. For example:

    FS_TYPE[0]=vxfs

  6. Find the line “FS_UMOUNT_OPT[0]=“<%SG_PKG_FS_UMOUNT_OPT%>”” and replace the token with any filesystem umount options. The token can be removed and this option left blank if there are no special umount options. For example:

    FS_UMOUNT_OPT[0]=“

  7. Find the line “FS_FSCK_OPT[0]=“<%SG_PKG_FS_FSCK_OPT%>”” and replace the token with any filesystem specific fsck options. The token can be deleted and this option left blank. For example:

    FS_FSCK_OPT[0]=

  8. Find the line “IP[0]=“<%SG_PKG_IP%>”” and replace the token with the IP address of the clog package. For example:

    IP[0]= 192.119.152.3

  9. Find the line “SUBNET[0]=“<%SG_PKG_SUBNET%>”” and replace the token with the subnet for the packages IP address. Use netstat -i to help determine the subnet. For example:

    SUBNET[0]= 192.119.152.0

You next need to distribute the package files cluster-wide. To do this, perform the following steps:

  1. First, create the package directory on all the other members:

    # cexec mkdir /etc/cmcluster/clog

  2. Copy the package control script and package ASCII configuration file:

    # ccp clog clog.conf /usr/local/cmcluster/conf/clog/

  3. Update the /etc/rc.config.d/syslog-ng file, by adding the following lines:

    CLOG_PKG_VOL_GRP=LVM-volume-group CLOG_PKG_LOG_VOL=logical-volume(full path) CLOG_PKG_FS=filesystem mount point where the consolidated logs are stored CLOG_PKG_MNT_OPT=file systems mount options such as -o rw,largefiles CLOG_PKG_FS_TYPE=file system type CLOG_PKG_IP=IP address of the clog package CLOG_PKG_SUBNET=subnet of the clog package’s IP address CLOG_SYSTEM_LOG_CONSOLIDATION_DIR=file system mount point/syslog CLOG_SERVICEGUARD_PACKAGE_LOG_CONSOLIDATION_DIR=file system mount point/packages CLOG_PKG_RETRY_TIMES=1 CLOG_PKG_MONITOR_INTERVAL=5

  4. Distribute it cluster-wide:

    # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/
Testing and Starting the clog Package

Before starting the package, test the configuration thus far:

  1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the/etc/syslog-ng.conf.server and/etc/syslog-ng.conf.client files. For the package’s adoptive node, a symbolic link will be created named /etc/syslog-ng.conf and this symbolic link will point to the .server file. For the remaining cluster members, the symbolic link will point to the.client file. Since the package is not yet running, use syslog-ng to check each file explicitly as follows:

    # /opt/dsau/sbin/syslog-ng --syntax-only --cfgfile /etc/syslog-ng.conf.server # /opt/dsau/sbin/syslog-ng --syntax-only --cfgfile /etc/syslog-ng.conf.client

    If all the edits have been applied correctly, no errors should be displayed.

  2. Start syslog-ng on each cluster member. Each syslog-ng will start as a log forwarding client:

    # cexec /sbin/init.d/syslog-ng start

    Use the cluster-wide ps command, cps, to validate that all the daemons started correctly:

    # cps -ef │ grep syslog-ng

    You should see a syslog-ng daemon running on each cluster member.

  3. Create the clog package:

    # cd /etc/cmcluster/clog/ # cmapplyconf -P clog.conf

    Serviceguard will validate the package configuration and report any errors. Correct any errors and try again.

  4. Start the clog package:

    # cmmodpkg -e clog

    Then use cmviewcl to make sure it is running:

    # cmviewcl -p clog

    If there are problems running the package, check the /etc/cmcluster/clog/clog.log files on each member to help troubleshoot the problem.

  5. Validate that log forwarding is working properly. If consolidating the cluster’s local syslogs, use “logger test-message” and make sure this message is in the consolidated syslog.log. If you are not consolidating local logs, use the logger command from a log forwarding client.

    Note that logger messages are first sent to the local syslogd, which forwards them to syslog-ng. By default, syslogd suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique. The logger message should appear in the consolidated syslog.log located in the directory specified in the /etc/syslog-ng.conf.server file. For the examples above, that directory would be /clog/syslog/syslog.log.

    If consolidating package logs for this cluster, any package actions that generate package log information, such as a package failover, should cause a consolidated package log to appear in /clog/packages.

Using VxVM Instead of LVM

The default clog package script template assumes that you are using LVM based storage. To use VxVM storage instead, you must edit the clog package script under /usr/local/cmcluster/conf/clog/clog. Comment out the LVM Volume Group line “VG[0]=“xxx””, uncomment the line “VXVM_DG[0]=”, and enter the VxVM Disk Group.

Manually Configuring Log Forwarding Clients

You can configure either a standalone system or a Serviceguard cluster as log forwarding clients. You can also manually configure Serviceguard package logs as if they were syslog data. For each case, you set up both syslogd and syslog-ng.

Manually Configuring a Standalone Log Forwarding Client

  1. Start by configuring the standard syslogd to co-exist with a syslog-ng forwarder.

    1. By default, syslogd listens for incoming log messages on UDP port 514. If you want to forward this system's syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the-N switch which prevents syslogd from listening on port 514. For example:

      SYSLOGD_OPTS=“-D -N”

    2. Edit the system’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug              @fully qualified hostname *.info;mail.none        @fully qualified hostname

      where fully qualified hostname is the fully qualified hostname of this system. The name must be fully qualified or syslogd will not forward the messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. Stop and restart syslogd for these changes to take effect:

      # /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start

  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard.

    Copy /opt/dsau/share/clog/templates/syslog-ng.conf.client.template to /etc/syslog-ng.conf.client. This file has tokens named <%token-name%> that are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the system to forward its syslogs to the consolidation server, replace the <%UDP_LOOPBACK_SOURCE%> token with:

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with:

      log { source(s_syslog_udp); destination(d_syslog_type); };

      where type is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server. If you do not want to consolidate the local syslogs of this system, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the <%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line

      “destination d_syslog_<%TYPE%>{<%TYPE%>(“<%IP%>” port(<%PORT%>)); };”

      If using the UDP protocol, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with 514, the standard UDP port.

      If using the TCP protocol with ssh port forwarding, replace <%IP%> with 127.0.0.1 and <%PORT%> with the port chosen for ssh port forwarding. The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to “Configuring a Log Consolidation Standalone Server with clog_wizard”.

      Non-interactive secure shell authentication must be set up between this system and the log consolidator (you can use the /opt/dsau/bin/csshsetup tool for the configuration). For details, refer to “ssh Port Forwarding”.

      If using the TCP protocol without ssh port forwarding, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with TCP port chosen on the log consolidator used for log consolidation.

    4. Create the following symbolic link:

      ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf

  3. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to:

      CLOG_CONFIGURED=1

    2. Add the following lines:

      CLOG_CONSOLIDATOR=0 CLOG_CONS_IP=IP address of the log consolidator

    3. If using the TCP protocol add the following lines:

      CLOG_TCP=1 CLOG_TCP_PORT=log consolidation server tcp port

      If using ssh port forwarding add:

      CLOG_SSH=1 CLOG_SSH_PORT=ssh port chosen

      otherwise , use:

      CLOG_SSH=0

      otherwise, if using the UDP protocol, use:

      CLOG_TCP=0

      If consolidating the local syslogs, use:

      CLOG_SYSLOG=1

      otherwise, use:

      CLOG_SYSLOG=0

  4. When using TCP with ssh port forwarding, record the ssh port number you chose above in the /etc/services file. For example, add the line:

    clog_ssh 1776/tcp # Consolidated logging with ssh port forwarding

    Add this line to the /etc/services file of this system.

  5. Test the configuration by performing the following steps:

    1. Run/opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the /etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.client as described above.

    2. Start syslog-ng using the following command:

      # /sbin/init.d/syslog-ng start

    3. If consolidating the local syslogs, use “logger test-message” and make sure this message is in the consolidated syslog.log on the log consolidation server. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. By default, syslogd suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Manually Configuring a Serviceguard Cluster as a Log Forwarding Client

Configuring a Serviceguard cluster as a log forwarding client is similar to configuring a single system. All cluster members must be up and accessible before proceeding. You will first configure syslogd, then syslog-ng.

Create the configuration files described below on every cluster member. The simplest approach is to completely configure one member and then copy each configuration file cluster-wide. The cexec and ccp tools can simplify replicating changes cluster-wide.

  1. If you want the syslog messages for the cluster to be forwarded to the log consolidator, do the following:

    1. Start by configuring the standard syslogd to co-exist with a syslog-ng forwarder. By default, syslogd listens for incoming log messages on UDP port 514. To forward this cluster’s syslogs, syslog-ng must listen on UDP port 514. Edit /etc/rc.config.d/syslogd and change SYSLOGD_OPTS to add the-N switch; this prevents syslogd from listening on port 514. For example,

      SYSLOGD_OPTS=“-D -N”

    2. Edit the system’s /etc/syslog.conf file to forward log messages to port 514 on the local host where they will be read by syslog-ng. Using the HP-UX default /etc/syslog.conf as the example, add the following lines:

      mail.debug @fully qualified hostname *.info;mail.none @fully qualified hostname

      where fully qualified hostname is the fully qualified hostname of this cluster member. This name must be fully qualified or syslogd will not forward the messages properly.

      If you have customized syslog.conf, make sure to add the forwarding lines for your customizations as well.

    3. Stop and restart syslogd as follows for these changes to take effect:

      # /sbin/init.d/syslogd stop # /sbin/init.d/syslogd start

    4. Since /etc/rc.config.d/syslogd is generic, it can be distributed cluster-wide using ccp:

      # cpp /etc/rc.config.d/syslogd /etc/rc.config.d/

    5. The /etc/syslog.conf is specific to each member and the edits described above must be performed on each cluster member.

    6. Making the above changes on each cluster member, syslogd must be restarted for these changes to take effect. Use cexec to do this on all members of the cluster:

      # cexec “/sbin/init.d/syslogd stop;/sbin/init.d/syslogd start”

  2. To configure syslog-ng, start with the same syslog-ng.conf templates used by the clog_wizard.

    On one cluster member, copy the /opt/dsau/share/clog/templates/syslog-ng.conf.client.template to /etc/syslog-ng.conf.client. This file contains tokens named <%token-name%> which are replaced by the wizard based on the administrator’s answers to the wizard’s questions.

    Manually replace the tokens in /etc/syslog-ng.conf.client as follows:

    1. If configuring the cluster to forward its syslogs to the consolidation server, replace the <%UDP_LOOPBACK_SOURCE%> token with:

      source s_syslog_udp { udp(port(514)); };

      Replace the <%UDP_LOOPBACK_LOG%> token with:

      log { source(s_syslog_udp); destination(d_syslog_type); };

      where type is either tcp or udp depending on the desired log transport. This causes syslog-ng to read the local syslogd’s UDP messages and send them to the log consolidation server. If you do not want to consolidate the local syslogs of this cluster, delete the <%UDP_LOOPBACK_SOURCE%> and <%UDP_LOOPBACK_LOG%> tokens.

    2. Replace all the <%TYPE%> tokens with either tcp or udp depending on the desired log transport.

    3. Find the line

      “destination d_syslog_<%TYPE%> {<%TYPE%>(“<%IP%>”port(<%PORT%>)); };”

      If using the UDP protocol, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with 514, the standard UDP port. If using TCP protocol with ssh port forwarding, replace <%IP%> with 127.0.0.1 and <%PORT%> with the port chosen for ssh port forwarding. The same guidelines for choosing a free syslog-ng TCP port apply to this port. For details, refer to “Configuring a Log Consolidation Standalone Server with clog_wizard”. (Note that the ssh port chosen should be a free port on all cluster members). Non-interactive secure shell authentication must be set up between each member of this cluster and the log consolidator (can use /opt/dsau/bin/csshsetup tool for the configuration). For details, refer to “ssh Port Forwarding”.

      If using the TCP protocol without ssh port forwarding, replace <%IP%> with the IP address of the log consolidation server and <%PORT%> with TCP port chosen on the log consolidator used for log consolidation.

  3. The syslog-ng startup procedure, /sbin/init.d/syslog-ng, relies on several configuration variables. Edit /etc/rc.config.d/syslog-ng as follows:

    1. Change the CLOG_CONFIGURED line to:

      CLOG_CONFIGURED=1

    2. Add the following lines:

      CLOG_CONSOLIDATOR=0 CLOG_CONS_IP=IP address of the log consolidator

    3. If using the TCP protocol, add the following lines:

      CLOG_TCP=1 CLOG_TCP_PORT=log consolidation server tcp port

      If using ssh port forwarding, add:

      CLOG_SSH=1 CLOG_SSH_PORT=ssh port chosen

      otherwise, add:

      CLOG_SSH=0

      otherwise, if using the UDP protocol, add:

      CLOG_TCP=0

      If consolidating the local syslogs, add:

      CLOG_SYSLOG=1

      otherwise add:

      CLOG_SYSLOG=0

      If consolidating this cluster’s package logs, add:

      CLOG_PACKAGE=1

      otherwise, add:

      CLOG_PACKAGE=0

  4. All the files edited thus far need to be distributed cluster-wide:

    # ccp /etc/syslog-ng.conf.client /etc/ # ccp /etc/rc.config.d/syslog-ng /etc/rc.config.d/

    Create the following symbolic link on each cluster member:

    # ln -sf /etc/syslog-ng.conf.client /etc/syslog-ng.conf

  5. When using TCP with ssh port forwarding, record the ssh port number you chose above in the /etc/services file. For example, add the line:

    clog_ssh 1776/tcp # Consolidated logging with ssh port forwarding

    Add this line to the /etc/services file of each cluster member.

  6. To consolidate this cluster’s package logs, additional manual steps are needed on the log consolidation server. Each time a package is created or deleted on this cluster, these steps need to be done. Refer to “Consolidating Package Logs on the Log Consolidation Server”.

  7. Test the configuration by performing the following steps:

    1. Run /opt/dsau/sbin/syslog-ng with the -s or --syntax-only option to verify the syntax of the/etc/syslog-ng.conf file. This should be a symbolic link to /etc/syslog-ng.conf.client as described above.

    2. Start syslog-ng on all cluster members using

      # cexec “/sbin/init.d/syslog-ng start”

    3. If consolidating the local syslogs, use “logger test-message” and make sure this message is in the consolidated syslog.log on the log consolidation server. Note that the logger messages are first sent to the local syslog which forwards them to syslog-ng. By default, syslogd suppresses duplicate messages. If you issue multiple logger test messages, make sure each is unique.

Forwarding ASCII Log Data

The Consolidated Logging Wizard can automatically configure Serviceguard package logs to be monitored and forwarded as if they were syslog data. These logs are standard ASCII log files. For manual configurations, setting CLOG_PACKAGE=1, as described in “Manually Configuring a Serviceguard Cluster as a Log Forwarding Client”, automatically takes care of package log forwarding.

You can manually configure log consolidation for arbitrary ASCII log files using the following procedures for:

  • Forwarding text logs for consolidation

  • Consolidating text logs on the log consolidation server

Forwarding Text Logs for Consolidation

This procedure contains several steps:

  1. Make sure the system is configured as a log consolidation client or server. (Check the /etc/rc.config.d/syslog-ng file: if CLOG_CONFIGURED=1, the system is configured.) If not, use the Consolidated Logging wizard or the manual configuration methods described in this document to configure the system for log consolidation.

  2. Edit the system’s /etc/rc.config.d/syslog-ng file. For each ASCII log file you plan to consolidate, do the following:

    • Add an entry to the CLOG_TEXT_LOG[]array, starting at array index 0. The value for the array entry must be a complete path to the ASCII log file. For example,

      CLOG_TEXT_LOG[0]=/var/opt/myapp/myapp.log CLOG_TEXT_LOG[1]=/var/adm/logs/mylog.log

    • By default, as each line of the text log is forwarded to the log consolidator, values for several parameters are prepended to each record make the record compatible with syslog record format.

      • If the system is part of a Serviceguard cluster, the following values are prepended: date timestamp hostname clustername_logfilename

      • If the system is not part of a Serviceguard cluster, the following values are prepended: date timestamp hostname hostname_logfilename

        This is equivalent to specifying the following: CLOG_TEXT_FORMAT[n]="custom"

      For example, assuming the log files myapp.logand mylog.logare not in syslog format, the original example could have been fully specified as the following:

      CLOG_TEXT_LOG[0]=/var/opt/myapp/myapp.log CLOG_TEXT_FORMAT[0]="custom" CLOG_TEXT_LOG[1]=/var/adm/logs/mylog.log CLOG_TEXT_FORMAT[1]="custom"

      If the text file is already formatted using the syslog-compatible format shown above, then add the corresponding CLOG_TEXT_FORMAT[n]entry with a value of “syslog”.

      For example,

      CLOG_TEXT_LOG[2]=/var/adm/app/logs/app.log CLOG_TEXT_FORMAT[2]="syslog"

      If no CLOG_TEXT_FORMAT[]entry is made for a corresponding CLOG_TEXT_LOG[]entry, the default is “custom”.

      For an example of a file in syslogformat, see the actual system log file /var/adm/syslog/syslog.log.

  3. After completing the required edits, there are two ways to initiate forwarding for the new log files:

    • Restarting syslog-ng (recommended if not in a production environment)

    • Manual restart, that does not disrupt syslog-ng

    The procedures are the following:

    • Restart syslog-ng. For example, issue the following command:

      /sbin/init.d/syslog-ng restart

      This will disrupt syslog-ng and may cause loss of messages that are being forwarded or consolidated. If your system is not in a production environment, and losing some messages is acceptable, this method is preferable to using the more difficult manual restart.

    • Start the clog_tail process manually for the text log file.

      If the text log file is in syslog format, use the following command:

      /opt/dsau/bin/clog_tail -q -n 0 -p log_file_path

      If the text log file is in a custom format, use the following command:

      /opt/dsau/bin/clog_tail -q -n 0 -p -a log_file_path

      where log_file_path is the complete path to the ASCII log file.

      For example, for a log called myapp.log in custom format, the following command starts clog_tail:

      # /opt/dsau/bin/clog_tail -q -n 0 -p -a /var/opt/myapp/myapp.log

      If the system is a Serviceguard cluster, copy the edited /etc/rc.config.d/syslog-ng file cluster-wide with the following command:

      # ccp /etc/syslog-ng.conf.server /etc/

      Either restart syslog-ng or start the clog_tail of the text-log on all cluster nodes.

Consolidating Text Logs on the Log Consolidation Server

To consolidate the text logs forwarded from clients to a Log Consolidation Server, complete the following tasks on the Log Consolidation Server:

  1. For each text log that will be forwarded from a client, add the following destination, filter and log lines to the file syslog-ng.conf.server, after the section called HP_AUTOMATED_LOG_FILE_CONSOLIDATION:

    For the destination line:

    destination d_node1_text1{ file(“fs/textdir/node1_text1.log”); };

    For the filter line: 

    filter f_node1_text1{ program(node1_text1.log); };

    For the log line: 

    log { source(s_syslog_type); filter (f_node1_text1);destination(d_node1_text1); flags(final);};

    where text1 is the text logfile name, node1 is the relocatable IP address (for a Serviceguard cluster) or hostname (for a non-Serviceguard cluster) that is forwarding this text log, fs is the filesystem on the log consolidator where the consolidated logs will be stored, type is the “s_source” definition, either _tcp or _udp, depending on the log transport selected, and textdir is the name of the directory where you plan to store all text logs.

  2. If the log consolidator is a Serviceguard cluster, make sure to copy the edited /etc/syslog-ng.conf.server file cluster-wide with the following command:

    # ccp /etc/syslog-ng.conf.server /etc/

  3. sighup syslog-ng on the log consolidator so that it rereads its configuration file. (sighup is a UNIX method for restarting a process.) On a Serviceguard log consolidator, sighup syslog-ng only on the adoptive node of the clog package.

Stopping Consolidation of Text Logs

To stop consolidation of text logs, complete the following tasks for each system where you plan to stop log consolidation:

  1. Edit the system’s /etc/rc.config.d/syslog-ng file. For each ASCII log file you plan to stop consolidating, do the following:

    • Remove the CLOG_TEXT_LOG[] and the corresponding CLOG_TEXT_FORMAT[] entry for that text log, if present.

      For example, to stop consolidation of the text log myapp.log, remove the following entries from the /etc/rc.config.d/syslog-ng file:

      CLOG_TEXT_LOG[4]=/var/opt/myapp.log

      CLOG_TEXT_FORMAT[4]="syslog"

  2. After making the required edits, restart syslog-ng using the command:

    /sbin/init.d.syslog-ng restart so that the changes to the /etc/rc/config.d/syslog-ng file take effect.

    If the system is a Serviceguard cluster, copy the edited /etc/rc.config.d/syslog-ng file cluster-wide with the following command:

    # ccp /etc/syslog-ng.conf.server /etc/

    Restart syslog-ng on all cluster nodes.

  3. For each text log that is deleted from a client that is forwarding its text logs, delete the corresponding destination, filter and log lines from the /etc/syslog-ng.conf.server file of the log consolidator. syslog-ng on the log consolidator must be sighup’d so that it rereads this configuration file.

    On a Serviceguard log consolidator, the updated /etc/syslog-ng.conf.server file must be distributed cluster-wide. However, the sighup of syslog-ng needs to be done only on the adoptive node of the clog package.

Consolidating Package Logs on the Log Consolidation Server

When remote Serviceguard clusters forward package log data to a log consolidation server, the default is to place all forwarded log messages in the consolidated syslog.log file on the consolidation server. It can be much more convenient to place these messages in cluster-specific consolidated package log files instead of in the consolidated syslog.log file. This can be achieved using syslog-ng’s filtering rules as follows:

  1. For each package that will be forwarded from a cluster client, add the following destination, filter and log lines to the syslog-ng.conf.server file, after the HP_AUTOMATED_LOG_FILE_CONSOLIDATION section.

    destination d_<clu1>_<pkg1> { file(“<fs>/packages/<clu1>_<pkg1>.log”); }; filter f_<clu1>_<pkg1> { program(<clu1>_<pkg1>.log); }; log { source(s_syslog_<type>); filter(f_<clu1>_<pkg1>);destination(d_<clu1>_<pkg1>); flags(final);};

    where <pkg1> is the package name, <clu1> is the package’s relocatable IP address that is forwarding this package log, <type> is either _tcp or _udp, depending on the log transport selected, and <fs> is the filesystem on the log consolidator where the consolidated logs will be stored.

  2. If the log consolidator is a Serviceguard cluster, make sure to copy the edited /etc/syslog-ng.conf.server file cluster-wide as follows:

    # ccp /etc/syslog-ng.conf.server /etc/

  3. sighup syslog-ng on the log consolidator, so that it re-reads its configuration file. (sighup is a UNIX method for restarting a process.) On a Serviceguard log consolidator, sighup syslog-ng only on the adoptive node of the clog package.

  4. For each package that is deleted from a cluster client that is forwarding its package logs, delete the corresponding destination, filter and log lines from the /etc/syslog-ng.conf.server file of the log consolidator. syslog-ng on the log consolidator will need to be sighup’d so that it re-reads this configuration file. On a Serviceguard log consolidator, the updated /etc/syslog-ng.conf.server file will need to be distributed cluster-wide. However, the sighup of syslog-ng only needs to be done on the adoptive node of the clog package.



Log Consolidation Overview
  		 


Disabling Log Consolidation  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© Hewlett-Packard Development Company, L.P.