Does anyone have any experience with running multiple syslog servers for high availability?
We currently are running two SW syslog daemons, which both are active at any given time, and writing to the same backend db cluster, which results in duplication of every trap/syslog message. I could manually terminate the process on the backup server, but I think then the changes written to the primary syslog daemon would not get passed to the backup? Due to a large number of syslog messages being generated, which are now being duplicated, our db is getting hammered trying to insert all the messages into the table which is starting to affect performance of other applications relying on the same db cluster.
Is there any more in depth information on how the HA works (the replication of the rules/alerting?) I think this is done via a db write which both daemons point to.
Is there any suggestions for how to best set this up given the current limitations?