2.14. NFS file system for log files
Using the NFS network file system can lead to problems if NFS connection is not stable, therefore Balabit does neither recommend nor officially support such scenarios. If you can avoid it, do not store log files on NFS. If the NFS connection is stable and reliable, syslog-ng PE can read and write files on mounted NFS partitions as a normal file source or destination. Read this section carefully before using syslog-ng PE and NFS-mounted log files.
If there is any issue with the NFS connection (for example, connection loss, the NFS server stops), syslog-ng PE can stop working. These NFS issues can be related to the operating system, and can also vary depending on its patch level and kernel version. The possible effects include the following:
syslog-ng PE freezes, does not respond, does not process logs, is unable to stop or reload, and you can stop it only using the kill -9 command
syslog-ng PE is not able to start, and hangs during startup
Message loss or message duplication
Message becomes corrupt (it is not lost, but the message or some parts of it contain garbage)
When using the
logstore()destination, the logstore file becomes corrupt
On some RHEL-based systems (possibly depending on the kernel version too), NFS returns NULL characters when reading a file that another process is writing at the very same moment.
Do not use the
logstore()destination to store files on an NFS-mounted partition
To use wildcards in the file source, set the
yesto detect newly created files. Note that this option is available only in syslog-ng PE version 6.0.3 and newer versions of the 6.x branch, and is not yet available in syslog-ng PE version 7.
Since Balabit does not officially support scenarios where you use syslog-ng PE together with NFS, Balabit will handle support requests and bugs related to such scenarios only if you can reproduce the issue independently from NFS.
If you cannot avoid using NFS with syslog-ng PE note the following points.
USE at least NFS v4 (or newer if available)
USE the soft mount option (
-o soft) to mount the partition
USE the TCP mount option (
-o tcp) to mount the partition
DO NOT install syslog-ng PE on an NFS-mounted partition
DO NOT store the runtime files (for example, the configuration or the persist file) of syslog-ng PE on an NFS-mounted partition
DO NOT use logstore on an NFS-mounted partition, it can easily become corrupted