SysLog Forwarding for XenServer

BRRABill

@DustinB3403 said in SysLog Forwarding for XenServer:

@travisdh1 said in SysLog Forwarding for XenServer:

For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.

Which I've done that, but where on the syslog VM would I actually see the logs being created? What should I modify in the /var/lib/syslog.conf file on XenServer?

When I did that, I forwarded them to a VM running Splunk, and it showed right up.

BRRABill

@BRRABill said

When I did that, I forwarded them to a VM running Splunk, and it showed right up.

In fact, I've done so much, I forgot to re-enable that. Just did, and it showed right up again.

Just set the option in XC, and that was it. Immediately showed up in my Splunk install.

8/12/16
1:49:16.000 PM	
Aug 12 13:49:16 10.0.4.20 Aug 11 13:49:37 xenserver-test-reinstall xapi: [debug|xenserver-test-reinstall|33 dbflush [/var/lib/xcp/state.db]||sql] XML backend [/var/lib/xcp/state.db] -- Write buffer flushed. Time: 0.020193
host = 10.0.4.20 source = udp:514 sourcetype = linux_messages_syslog
8/12/16
1:49:14.000 PM	
Aug 12 13:49:14 10.0.4.20 Aug 11 13:49:35 xenserver-test-reinstall xcp-rrdd-xenpm: [debug|xenserver-test-reinstall|0 ||xcp-rrdd-xenpm] Found 4 states; with 2 CPUs this means 2 states per CPU
host = 10.0.4.20 source = udp:514 sourcetype = linux_messages_syslog
8/12/16
1:49:14.000 PM	
Aug 12 13:49:14 10.0.4.20 Aug 11 13:49:35 xenserver-test-reinstall xcp-rrdd-xenpm: [debug|xenserver-test-reinstall|0 ||xcp-rrdd-xenpm] Process 3237 exited normally with code 0

DustinB3403

So now I need a VM with splunk as well?

Or can I use my CentOS Rsyslog Vm as well?

travisdh1

@DustinB3403 said in SysLog Forwarding for XenServer:

@travisdh1 said in SysLog Forwarding for XenServer:

For my XenServer (still 6.5), I actually started up the XenCenter app. Right click on the server -> properties -> click log destination on left -> click remote on right and enter the rsyslog server ip.

Which I've done that, but where on the syslog VM would I actually see the logs being created? What should I modify in the /var/lib/syslog.conf file on XenServer?

By default, everything goes in /var/log/messages. If you want to find things for just one host name

sudo cat /var/log/messages | grep 'hostname'

I'm now understanding why @scottalanmiller likes binary logs instead of ascii. That messages file grows quickly.

DustinB3403

@travisdh1 That does show a lot of information, which is scrolling very quickly!

I guess it works

DustinB3403

So if that works, then I need to setup a easy way to view these messages..

Is splunk the go to solution for this?

BRRABill

@DustinB3403 said in SysLog Forwarding for XenServer:

So if that works, then I need to setup a easy way to view these messages..

Is splunk the go to solution for this?

I used Splunk because it is free and easy. (For me.)

I tried setting up a few other things, and gave up. (Like loggly.) I want to get back to other logging stuff some day, but it works for me.

scottalanmiller

Splunk is free only for very small sizes. Once your logs grow or you have more than a few servers you normally overrun the free part.

DustinB3403

So what would be a good aggregation tool to be able to view the logs?

If Splunk stops at a tiny level..... I won't bother with it.

BRRABill

@DustinB3403 said in SysLog Forwarding for XenServer:

So what would be a good aggregation tool to be able to view the logs?

If Splunk stops at a tiny level..... I won't bother with it.

500MB per day.

DustinB3403

@BRRABill said in SysLog Forwarding for XenServer:

@DustinB3403 said in SysLog Forwarding for XenServer:

So what would be a good aggregation tool to be able to view the logs?

If Splunk stops at a tiny level..... I won't bother with it.

500MB per day.

yeah that's worthless......