RedHat syslog – remote loging

Syslog is resposnible for main logs on Linux. All informations collected by syslog are logged to specified files. Good practice is to keep all logs from your servers on dedicated server. It is easier to browse logs stored in one place than reading them on all machines separetely.

1) Configuration of both log server and log client:

Check if there is an entry in /etc/services regarding port 514 (default for syslog).

grep 514 /etc/services

syslog          514/udp

Enable communication on this port by setting proper rule on firewall:

-A RH-Firewall-1-INPUT -p udp –dport 514 -j ACCEPT

Syslog by default is not configured to send logs to remote hosts or receive them from network. You have to change startup options in /etc/sysconfig/syslog by adding ‘-r’ to SYSLOG_OPTS.

Now we are prepared to configure syslog! Configuration is stored in /etc/syslog.conf . Entries are different on log server and log client.

2) Configuration of log server:

You have to provide information about log client and destination where logs from client will be written. To do this you have to add two lines to the /etc/syslog.conf:

+LOG_CLIENT
log_source.log_type                                                  log_file

where:

  • LOG_CLIENT could be hostname or IP adress. If you are using hostname it have to be resolved by DNS or written in /etc/hosts.
  • log_source.log_type – here you can specify subsystems from which information will be logged and message types. Here are a few examples: user.notice -> information from users; kernel.warn -> warnings from kernel; *.* -> all messages from all subsystems.
  • log_file – logs will be written here.

Example:

+log_client
user.*                                                  /var/log/log_client.log

In above example logs from user subsystem from host ‘log_client‘ will be written in /var/log/log_client.log


3) Configuration of log client:

In /etc/syslog.conf you have to specify which logs will be copied on log server:

log_source.log_type                                                  @LOG_SERVER

where:

  • log_source.log_type – here you can specify subsystems from which information will be logged and message types. Here are a few examples: user.notice -> information from users; kernel.warn -> warnings from kernel; *.* -> all messages from all subsystems.
  • LOG_SERVER could be hostname or IP adress. If you are using hostname it have to be resolved by DNS or written in /etc/hosts.

Example:

user.*                                                  @log_server

In above example logs from user subsystem will be sent to ‘log_server’ host.

Remember to restart syslog service after making any changes in /etc/syslog.conf!

service syslog restart

Leave a Response