System A runs the mailserver and its activities are logged there to a /var/log/mail and syslog file. System B is dedicated to monitoring and it is there I would like to install and use Lightmeter.
In the command line parameters I see evidence of two ways to use lightmeter remotely. I guess the rsync method would duplicate the actual log files to system B therefore occupying double storage. No clue how the socket method works and if it would be valid for my case. Could someone explain also how to set it up, please?
In your scenario you can use the rsync option by scheduling rsyncing the /var/log/mail/ directory from A to B. Lightmeter will detect the new logs and track them properly. The events on Lightmeter as as “real time” as the frequency you synchronize the logs. More info at [1].
And yes, this option will duplicate the storage for the logs. If you want to avoid it, you might try storing the logs in a network shared filesystem, which in theory should work, even though I confess I have never tried it. If you do, please report your findings here!
On the socket option, Lightmeter will start listening in a TCP port, which has a very simple wire protocol: the raw contents the lines are sent with a \n character separating them.
Which syslog implementation are you using?
A third way is to use logstash to send logs to lightmeter, in case you are using the ELK stack, also using the socket option. It is documented here: [2]
By default Ubuntu LTS on system A and B are using rsyslog.
So from your response I understand the following options:
centralize the logging by configuring rsyslog A to remote log to B and there let Lightmeter read the log files.
set rsyslog on system A to log as well (is that possible?) to a TCP socket that is to be received by system B with Lightmeter set up to receive the raw TCP log data.
