/munetakaJupyterHub/Computer/2024/syslog-ng/03-11-mongoDB-syslog-ng.md

§2024-05-16

Ask chatGPT

I have a mongoDB replcation Server as follow:

redisMongo01.yushei.com.tw 192.168.2.153
redisMongo02.yushei.com.tw 192.168.2.232
redisMongo03.yushei.com.tw 192.168.2.250
redisMongo04.yushei.com.tw 192.168.2.231

each member will have a log file in /opt/package/mongoDB/log/mongod.log in his own hard disk.

All the replication memebers has syslog-ng installed. I would like a hc4nas02.yushei.net machine installed with syslog-ng to be used to record all replcation memebers log into his /var/log/mongoDB-ys20220317.log using syslog-ng program. Please help to set it up.

Answer by chatGPT:

To set up syslog-ng on hc4nas02.yushei.net to record logs from all replication members into a single log file (/var/log/mongoDB-ys20220317.log), you'll need to follow these steps:

Install syslog-ng @hc4nas02.yushei.net

sudo apt install syslog-ng

Configure syslog-ng: Edit the syslog-ng configuration file (/etc/syslog-ng/syslog-ng.conf) to define the sources, destinations, and filters.

Open the configuration file in a text editor:

hc4nas02.yushei.net, /etc/syslog-ng/syslog-ng.conf as

@version: 3.25
@include "scl.conf"

# Sources
source s_net {
    network(ip(0.0.0.0) port(514) transport("udp"));
};

# Destinations
destination d_mongoDB {
    file("/var/log/mongoDB-ys20220317.log");
};

# Filters
filter f_redisMongo01 {
    host("redisMongo01.yushei.com.tw");
};

filter f_redisMongo02 {
    host("redisMongo02.yushei.com.tw");
};

filter f_redisMongo03 {
    host("redisMongo03.yushei.com.tw");
};

filter f_redisMongo04 {
    host("redisMongo04.yushei.com.tw");
};

# Bind Sources, Destinations, and Filters
log {
    source(s_net);
    filter(f_redisMongo01);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo02);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo03);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo04);
    destination(d_mongoDB);
};

@hc4nas02.yushei.net sudo systemctl restart syslog-ng
for each replicationSet memembers, /etc/syslog-ng/syslog-ng.conf

@version: 3.25
@include "scl.conf"

# Sources
source s_local {
    system();
    internal();
};

# Destinations
destination d_hc4nas02 {
    syslog("hc4nas02.yushei.net" transport("udp") port(514));
};

# Bind the source and destination together
log {
    source(s_local);
    destination(d_hc4nas02);
};

verfiry it is working

hc4nas02.yushei.net

alexlai@hc4nas02:~$ sudo tcpdump -i any port 514
alexlai@hc4nas02:~$ ls /var/log/mongoDB-ys20220317.log
ls: cannot access '/var/log/mongoDB-ys20220317.log': No such file or directory
alexlai@hc4nas02:~$ sudo tcpdump -i any port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:07:38.905976 IP 192.168.2.250.50441 > hc4nas02.syslog: SYSLOG daemon.info, length: 164
18:07:38.905977 IP 192.168.2.250.50441 > hc4nas02.syslog: SYSLOG daemon.error, length: 161
....

Again this is my /etc/syslog-ng/syslog.conf file for hc4nas02.yushei.net

@version: 3.25
@include "scl.conf"

# Sources
source s_net {
    network(ip(0.0.0.0) port(514) transport("udp"));
};

# Destinations
destination d_mongoDB {
    file("/var/log/mongoDB-ys20220317.log");
};

# Filters
filter f_redisMongo01 {
    host("redisMongo01.yushei.com.tw");
};

filter f_redisMongo02 {
    host("redisMongo02.yushei.com.tw");
};

filter f_redisMongo03 {
    host("redisMongo03.yushei.com.tw");
};

filter f_redisMongo04 {
    host("redisMongo04.yushei.com.tw");
};

# Bind Sources, Destinations, and Filters
log {
    source(s_net);
    filter(f_redisMongo01);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo02);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo03);
    destination(d_mongoDB);
};

log {
    source(s_net);
    filter(f_redisMongo04);
    destination(d_mongoDB);
};

and redismongo03.yushei.com.tw's /etc/syslog-ng/syslog-ng.conf is

@version: 3.25
@include "scl.conf"

# Sources
source s_local {
    system();
    internal();
};

# Destinations
destination d_hc4nas02 {
    syslog("hc4nas02.yushei.net" transport("udp") port(514));
};

# Bind the source and destination together
log {
    source(s_local);
    destination(d_hc4nas02);
};

syslog-ng.service restarted OK. and

on hc4nas02.yushei.net

alexlai@hc4nas02:~$ sudo tcpdump -i any port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
18:13:34.911442 IP 192.168.2.250.50441 > hc4nas02.syslog: SYSLOG authpriv.notice, length: 182
18:13:34.911443 IP 192.168.2.250.50441 > hc4nas02.syslog: SYSLOG authpriv.info, length: 127
18:13:34.911443 IP 192.168.2.250.50441 > hc4nas02.syslog: SYSLOG authpriv.info, length: 145

Why on hc4nas02.yushei.net

root@hc4nas02:/home/alexlai# /var/log/mongoDB-ys20220317.log
bash: /var/log/mongoDB-ys20220317.log: No such file or directory
root@hc4nas02:/home/alexlai#

sudo touch /var/log/mongoDB-ys20220317.log
sudo chown syslog:syslog /var/log/mongoDB-ys20220317.log
sudo chmod 644 /var/log/mongoDB-ys20220317.log

Yes, port 514 is commonly used for syslog-ng, especially for receiving syslog messages over the UDP protocol. if you change it, then you have to do the followings:

@version: 3.25
@include "scl.conf"

# Sources
source s_local {
    system();
    internal();
};

# Destinations
destination d_hc4nas02 {
    syslog("hc4nas02.yushei.net" transport("udp") port(YOUR_CUSTOM_PORT));
};

# Bind the source and destination together
log {
    source(s_local);
    destination(d_hc4nas02);
};