1

Below is the current architecture of Syslog-NG to avoid single point of failure.

enter image description here

Currently devices send same syslog message to two syslog servers listening on UDP port 514. Each server stores the syslog message(*.log) and also forwards the same message to multiple consumers.

Forwarding causes duplication of messages. For this, haproxy can be deployed between Devices and Syslog server, as mentioned here, to resolve duplication of messages.

1) In our environment, Devices can currently send syslog messages to UDP port (only). Device owner is yet to agree to send syslog message to TCP port, on which, it would further ease to work with haproxy.

2) In our environment, Syslog server is allowed to listen on TCP port which helps to work with haproxy , so...

source src {
    tcp(ip(1.2.3.4),port(514));
}

Following third advice given in this answer,

Can TCP based haproxy listen on UDP port to receive syslog messages from devices? If yes, how to configure?

overexchange
  • 1,466
  • 10
  • 29
  • 46

1 Answers1

1

HAProxy only does TCP, not UDP. If you have systems that can only send syslog messages using UDP, you need something other than HAProxy.

One possibility is nginx - mostly known as a web server, but it's a good proxy server for many different services and does UDP load balancing as well. Another possibility would be to use a clustering agent such as Corosync/pacemaker to have a virtual IP address that can move between two servers as needed.

Jenny D
  • 13,022
  • 3
  • 38
  • 54
  • Will look at nginx, but does it provide high availability service?we doesn't want single point of failure.. scenario – overexchange Oct 18 '18 at 07:54
  • You can have it set so that it uses one server as long as its up, but then it switches to the other if it goes down. If you can put it on your devices so that the devices log to UDP on localhost and then nginx forwards to one of the two syslog servers depending on which one is up, you've got a "poor man's HA". If you can't put it on the devices, you should probably look at a clustering system instead. – Jenny D Oct 18 '18 at 08:08
  • What if nginx goes down? – overexchange Oct 18 '18 at 09:20