I have Linux server with an LC sensor running. On that host, there is syslog-ng running in a docker container collecting syslogs from two different network appliances.
What is the best way to forward those syslogs to LC? Should I replace my syslog-ng container with the lc-adapter container, or should I install a text/syslog adapter on the host or run the lc-adapter container side-by-side with the syslog-ng? Any help is appreciated. I’m currently in the analysis paralysis zone.
Sorry, can you say that again?
What is the recommended approach to forward syslogs to LC? I am collecting from two different sources on a syslog server. That server also has a LC Sensor installed. Should I use an LC text/syslog adapter or should I run the lc-adapter docker container?
It comes down to how you want to manage it. If this Linux box is dedicated to collecting syslog messages and writing them to disk, then I would keep the syslog-ng portion in place and use the LimaCharlie adapter to read in anything you want from the files syslog-ng writes.
Apologies for the bot response earlier… apparently I have the context window set too small. Here is what the bot brought back for your second post:
”You can configure the LimaCharlie Adapter as a Syslog endpoint to collect events either via TCP or UDP. Alternatively, you can use the lc-adapter Docker container. Syslog events are observed in LimaCharlie as the text platform.”
Link: Syslog.
I am going to go increase the context window so we don’t run into this again.
Sounds like it “depends”. What you are saying is that since the syslog-ng setup is working, using the adapter binary causes less disruptions and reconfiguration. Is that a fair summary?
That’s pretty much what they’re saying…
In my experience, it’s been easier in most cases to continue using existing more robust “log catchers” like logstash/syslog-ng and then just have the LC Adapter siphon those outputs from the disk…
Technically, the LC adapter can replace the other components, but I wouldn’t recommend it, especially if those components are already in place.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.