Questions about syslog server

[sunshine59]

On 10/16/2019 at 11:45 PM, Frank1940 said:

How do I use the Syslog Server?

 

Beginning with release 6.7.0, there has been a syslog server functionality added to Unraid.  This can be a very powerful diagnostic tool when you are confronted with a situation where the regular tools can not or do not capture information about about a problem because the server has become non-responsive, has rebooted, or spontaneously powered down.  However, getting it set up to use has been confusing to many.  Let's see if we clarify setting it up for use.  Begin by going to  Settings   >>>   Syslog Server    

 

This is the basic Syslog Server page:

 

You can click on the 'Help' icon on the Toolbar and get more information for all of these three options. 

 

The first one to be considered for use is the Mirror syslog to flash:  This one is the simplest to set up.  You select 'Yes' from the dropdown box and click on the 'Apply' button and the syslog will be mirrored to logs folder/directory of the flash drive.  There is one principal disadvantage to this method.  If the condition, that you are trying to troubleshoot, takes days to weeks to occur, it can do a lot of writes to the flash drive.  Some folks are hesitant to use the flash drive in this manner as it may shorten the life of the flash drive.  This is how the setup screen looks when the Syslog Server is set up to mirror to the flash drive. 

 

The second option is use an external Syslog Server.  This can be another Unraid server.  You can also use virtually any other computer.  You find the necessary software by googling for the   syslog server <Operating system>  After you have set up the computer/server, you fill in the computer/server name or the IP address.  (I prefer to use the IP address as there is never any confusion about what it is.)  The Click on the 'Apply' button and your syslog will be mirrored to the other computer. The principal disadvantage to this system is that the other computer has be left on continuously until the problem occurs.

 

The third option uses a bit of trickery in that we use the Unraid server with the problem as the Local syslog server.  Let's begin by setting up the Local syslog server.   After changing the Local syslog server: dropdown to 'Enabled', the screen will look like this.  

 

Note that we have a new menu option--  Local syslog folder:  This will be a share on the your server but chose it with care.  Ideally, it will be a 'cache only' or a 'cache preferred' share.  This will minimize the spinning up of disks due to the continuous writing of new lines to the syslog.  A cache SSD drive would be the ideal choice here.  (The folder that you see above is a 'cache preferred' share.  The syslog will be in the root of that folder/share.)

 

If you click the 'Apply button at this point, you will have this server setup to serve as a Remote Syslog Server.  It can now capture syslogs from several computers if the need should arise.

 

Now, we added the ip address of this server as the  Remote syslog server  (Remember the mention of trickery.  So basically, you send data out-of-the-server and it comes-right-back-in.)   This is what it looks now:

 

As soon as you click on apply, the logging of your syslog will start to a file named (in this case)  syslog-192.168.1.242.log in the root of the selected folder (in this case-- Folder_Tree). One very neat feature is that each entry are appended onto this file every time a new line is added to the syslog.  This should mean if you have a reboot of the server after a week of collecting the syslog, you will have everything from before the reboot and after the reboot in one file!  

 

Thanks @bonienl for both writing this utility and the guidance in putting this together.   

Hi there,

 

Thanks for sharing how you handle your local syslog server. I'm talking about the option 3 you described here. When choosing to implement the option 3, do we need to have the remote computer (in your example 192.168.1.242) always turn ON as in the option 2?  Does that IP really exist in your network? If we set the "local syslog rotation" to enabled, will we be able to get error logs when the system can't reboot, or does unclean shutdown? What does Enabling "local syslog rotation" really mean, how often will the old logs will be erased?

thanks for answering those questions..

[JorgeB]

Split from the FAQ thread, @sunshine59as mentioned there please don't use that thread for questions.

[Frank1940]

3 hours ago, sunshine59 said:

Thanks for sharing how you handle your local syslog server. I'm talking about the option 3 you described here. When choosing to implement the option 3, do we need to have the remote computer (in your example 192.168.1.242) always turn ON as in the option 2? 

 

Yes and No, As the description implies, the option sends the syslog data out of the server onto the LAN and loops right back into the same server.  This option saves the syslog for the server with an IP address of 192.168.1.242 and saves that syslog to a file on the server with an IP address of 192.168.1. 242.   If the server on 192.168.1.242 goes down, the transmission of this syslog will stop.  When that server restarts, the Syslog Server scripts starts back up and the process will run as before.  Obviously, you lose anything that happens between when the scripts stops and when it restarts.

 

3 hours ago, sunshine59 said:

Does that IP really exist in your network?

 

Yes, as it is a real working server.   (By the way, there are quite possibly hundreds of thousands of computers (and other devices) around the world that could have that same IP address as that address is within the address range for IPv4 assigned for use on LAN's  (Local Area Network).  This means that the world knowing the address of this server is not a security hazard as it is secured behind my router-- which has its own IPv4 address on the WAN (Wide Area Network)--- with a NAT and a firewall...)

 

4 hours ago, sunshine59 said:

If we set the "local syslog rotation" to enabled, will we be able to get error logs when the system can't reboot, or does unclean shutdown? What does Enabling "local syslog rotation" really mean, how often will the old logs will be erased?

 

@bonienl, I believe this is your area of expertise.

[sunshine59]

9 hours ago, JorgeB said:

Split from the FAQ thread, @sunshine59as mentioned there please don't use that thread for questions.

Thanks for saying this. I was not sure how to do..

[sunshine59]

5 hours ago, Frank1940 said:

 

Yes and No, As the description implies, the option sends the syslog data out of the server onto the LAN and loops right back into the same server.  This option saves the syslog for the server with an IP address of 192.168.1.242 and saves that syslog to a file on the server with an IP address of 192.168.1. 242.   If the server on 192.168.1.242 goes down, the transmission of this syslog will stop.  When that server restarts, the Syslog Server scripts starts back up and the process will run as before.  Obviously, you lose anything that happens between when the scripts stops and when it restarts.

 

 

Yes, as it is a real working server.   (By the way, there are quite possibly hundreds of thousands of computers (and other devices) around the world that could have that same IP address as that address is within the address range for IPv4 assigned for use on LAN's  (Local Area Network).  This means that the world knowing the address of this server is not a security hazard as it is secured behind my router-- which has its own IPv4 address on the WAN (Wide Area Network)--- with a NAT and a firewall...)

 

 

@bonienl, I believe this is your area of expertise.

Thanks at lot @Frank1940, this all make sense now.

[bonienl]

On 4/8/2022 at 1:38 PM, Frank1940 said:

I believe this is your area of expertise.

 

syslog rotation looks at the size of the log file and when greater than the indicated size, it will start a new log file while renaming the older log file with a sequence number.

The user can select how many previous log files to keep stored next to the current log file.