I am currently managing 4 syslog servers using syslog-ng. I am trying to figure out the best way to manage the syslog-ng.conf file to prevent myself from having to make the same changes in 4 different locations.
I was thinking about this today.. I wonder if this would work using the deployment server?
As long as the file/folder permissions are good between Splunk and Syslog-NG, I would think this will work..
It worked!!
At the very top of the syslog-ng.conf file, I added a statement:
@include "/opt/splunkforwarder/etc/apps/syslogng_config/*.conf"
Likely because I'm editing the file in Windows and deploying to linux, there were some syntax errors with missing spaces - identified with the command
syslog-ng --syntax-only
The output from that shows that there was a syntax error, but also where it pulled it from (my deployment server path)
After that, reloading the syslog-ng config made the new, managed config go live.
Hope this helps!
For example using puppet. There are many modules, this one was published by a former syslog-ng upstream developer and manages tens of thousands of machines: https://forge.puppet.com/ihrwein/syslog_ng
Thanks for the info. Was hoping there was a way to do it painlessly with the deployment server. I will look into either puppet or ansible.