For those sysadmins out there who haven't yet found loggly.com, I recommend giving it a test drive. I haven't tried using it with a large payload, but for my simple config, it's working great. It's simple to try and test using a Rackspace Cloud account. Here are the steps I used to configure an Ubuntu 11.04 Cloud Server. Note that the method of encryption below is vulnerable to man-in-middle attacks, but it does send the log data encrypted over the wire. The loggly wiki has the more time-consuming and complex instructions on how to fully secure the log transmission.
1. Sign up at loggly.com for a free account.
2. Log into your loggly console (dashboard) and add a new "input" with the "secure syslog" option selected.
3. While in the dashboard, add a new device with your cloud server public ip, you could also use the api.
4. Log onto your Cloud Server and run the following commands as root or use sudo...
apt-get install gcc
apt-get install zlib1g-dev
apt-get install make
apt-get install pkg-config
apt-get install libgnutls-dev
curl -# --output rsyslog.tar.gz http://www.rsyslog.com/files/download/rsyslog/rsyslog-4.6.6.tar.gz
tar xvfz rsyslog.tar.gz
cd rsyslog-4.6.6/
./configure --enable-imfile --enable-gnutls
make install
cp rsyslog.conf /etc/
vi /etc/rsyslog.conf
5. Now add the below lines to your /etc/rsyslog.conf file.
#needs to be done just once
$ModLoad imfile
#file #1
$InputFileName /var/log/nginx/access.log
$InputFileTag nginx:
$InputFileStateFile stat-nginx-access
$InputRunFileMonitor
#file #2
$InputFileName /var/log/nginx/error.log
$InputFileTag nginx:
$InputFileStateFile stat-nginx-error
$InputRunFileMonitor
$InputFilePollInterval 10
#quick ssl, comment out if getting garbage in the loggly console
$DefaultNetstreamDriverCAFile /etc/loggly.com.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
*.* @@logs.loggly.com:<your assigned port>
6. Download the loggly.com.crt certificate file (I simply put it in /etc/). A link is provided in the dashboard once you selected the "Secure Syslog" option for your input.
7. Restart the rsyslog service (service rsyslog restart)
That should do it, within about 10 seconds you should start seeing your log messages appear in the loggly console, fully searchable. You can also tail /var/log/messages to make sure there are no error messages.
I ran into only one hiccup during the process. I had a hard time configuring SSL on my first attempt, so if you are having issues, you may want to try non-ssl on the first pass.
Comments