syslog-ng documentation

Your main source of knowledge

The syslog-ng product family has an extensive documentation, covering everything from how to install a product to the most complex configuration and settings descriptions. If you cannot find an answer to your question, try the mailing list - our community is always eager to help.

syslog-ng Premium Edition

Contents

2.14. NFS file system for log files The syslog-ng Premium Edition 7 Administrator Guide

Using the NFS network file system can lead to problems if NFS connection is not stable, therefore Balabit does neither recommend nor officially support such scenarios. If you can avoid it, do not store log files on NFS. If the NFS connection is stable and reliable, syslog-ng PE can read and write files on mounted NFS partitions as a normal file source or destination. Read this section carefully before using syslog-ng PE and NFS-mounted log files.

Risks

If there is any issue with the NFS connection (for example, connection loss, the NFS server stops), syslog-ng PE can stop working. These NFS issues can be related to the operating system, and can also vary depending on its patch level and kernel version. The possible effects include the following:

  • syslog-ng PE freezes, does not respond, does not process logs, is unable to stop or reload, and you can stop it only using the kill -9 command

  • syslog-ng PE is not able to start, and hangs during startup

  • Message loss or message duplication

  • Message becomes corrupt (it is not lost, but the message or some parts of it contain garbage)

  • On some RHEL-based systems (possibly depending on the kernel version too), NFS returns NULL characters when reading a file that another process is writing at the very same moment.

Limitations of using syslog-ng PE with NFS

  • To use wildcards in the file source, set the force-directory_polling() option to yes to detect newly created files. Note that this option is available only in syslog-ng PE version 6.0.3 and newer versions of the 6.x branch, and is not yet available in syslog-ng PE version 7.

  • Since Balabit does not officially support scenarios where you use syslog-ng PE together with NFS, Balabit will handle support requests and bugs related to such scenarios only if you can reproduce the issue independently from NFS.

Recommendations for using NFS with syslog-ng PE

If you cannot avoid using NFS with syslog-ng PE note the following points.

  • USE at least NFS v4 (or newer if available)

  • USE the soft mount option (-o soft) to mount the partition

  • USE the TCP mount option (-o tcp) to mount the partition

  • DO NOT install syslog-ng PE on an NFS-mounted partition

  • DO NOT store the runtime files (for example, the configuration or the persist file) of syslog-ng PE on an NFS-mounted partition