currently i have my logs coming in to a syslog-ng server
the config file on the syslog server is sort of like this
source of incoming remote logs
destination syslog logs dir saved under ip address, then by date
destination graylog server
log source and then both destinations
so as logs come in they are saved locally, some templates applied depending on the source, and then sent on to the graylog server
now, through experimenting with graylog i have gone through various rebuilds
how can i resend/reprocess the saved data on the syslog-ng server back to graylog server?
whilst still working to accept logs from current sources
So you are saying that I need to run something else to replay the log files? Then what is the point of having a syslog server between source and graylog?
But that’s no better than using Filebeat, Logstash, or NXLOG.
Buffering, intermediate storage, etc. – it depends on your use case and requirements.
This being said, syslog-ng and other (traditional) syslog servers write the received logs to disk, but not into a database or a journal which allows arbitrary replay.
So I always put file beat with ELK. And always thought that there would be a switch or whatever to reprocess old logs on the syslog.
Would you or anyone have something like with syslog-ng, accept the source and save locally
Then and not sure if possible, run another syslog script to use the file location as source and then just read and forward these?
