PDA

View Full Version : Setting up sending Linux logs to central Syslog server



PeterHands
28-Aug-2015, 17:37
Hi,

Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.

Sorry to ask but are there any guides out there on how to do this?

These are SLES 11 machines

x0500hl
28-Aug-2015, 20:05
I don't know of any guides but this is how I accomplished it:

cd /etc/syslog-ng
cp -p syslog-ng.conf syslog-ng.conf.new
vi syslog-ng.conf.new
Uncomment the last two lines and modify the first line. The modification is in bold.
#
# Enable this and adopt IP to send log messages to a log server.
#
destination logserver { udp("your_log_server_DNS_goes_here" port(514)); };
log { source(src); destination(logserver); };
:wq

To implement:
cd /etc/syslog-ng
mv syslog-ng.conf.new syslog-ng.conf

/etc/rc.d/syslog restart

Hope this helps.


Harley

jmozdzen
31-Aug-2015, 11:19
Hi PeterHands,

Hi,

Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.

Sorry to ask but are there any guides out there on how to do this?

These are SLES 11 machines

It'd be helpful to add a little detail to your question:
a - what vresion of SLES11 (SP4 is latest, saying "SLES11" would usually mean the version without any service packs, which would be horrendously outdated)
b - which syslog are you using, "syslog-ng" (as Harley was referring to) or rsyslog?

There are two sides to your question:
1. How to make the clients send their syslogs to the central syslog server? This part was answered by Harley for syslog-ng, using udp packets. With rsyslog, have a look at /etc/rsyslog.d/remote.conf
2. How to make the central syslog server receive these messages, and store them comfortably?

If the central server is syslog-ng (rather typical for i.e. SLES11SP3), then you'll need to tell it to listen for the incoming packets i.e. via the following "source" declaration in /etc/syslog-ng/syslog-ng.conf:

source net {
udp(ip("0.0.0.0") port(514));
};

In addition, you'll have to tell syslog-ng what to do with these messages (no current rule will reference the source named "net" yet). I have decided to keep all messages in separate files per sending host, as not to mix too many message sources in a single file:


# remote logging
destination remotemessages { file( "/var/log/hosts/$HOST.log"); };
log { source(net); destination( remotemessages); };
As you can see, these files even go in a separate subdirectory. You'll need to adopt your logrotation rules to that, though: Else you'll end up with pretty large files clobbering your /var/log/hosts file system...

Regards,
Jens

swadm
01-Sep-2015, 08:19
there is also an Novell Cool Solutions article on doing this with syslog-ng:

Centralized Syslogging with Syslog-NG on SUSE Linux (https://www.novell.com/coolsolutions/feature/18044.html)