Sending system messages to a central location.
Posted by Steve on Wed 6 Oct 2004 at 16:31
/var/log/auth.log /var/log/messages /var/log/syslog /var/log/kern.logThese files are controlled by the settings in /etc/syslog.conf, which defines which messages should be logged to a file, and which ones should just be ignored. Each message sent to the syslog server has two pieces of information associated with it in addition to the actual message. These are the name of message type (called the facility) a severity level for the message. Syslog tends to be setup so that messages from particular services end up in dedicated files. A good example of this is the handling of mail logs. If you are running a mail server such as exim or sendmail chances are that it will send messages to syslog with the facility set to 'mail'. These messages can all be written to a file with a setting such as this:
mail.* -/var/log/mailThis line in /etc/syslog.conf will allow all messages of type mail to be logged into the file /var/log/mail. The lines are matched by either facility or severity level. In this case we only care about the facility being 'mail', and we accept any severity signified by '*' . When you look after a group of machines chances are you will not often look at the logfiles produced, even if you are keeping an eye upon logfiles, it's just too much effort to login to multiple machines and watch the logfiles. An alternative approach is to cause all the log messages to be sent to a single machine, which can recieve all logs and allow you to look at them all in one place. This is one of the things that syslog-ng allows. Install it with a apt-get install syslog-ng, then look at the configuration file /etc/syslog-ng/syslog-ng.conf. For the machine which you intend to receive all the messages you will need to add an extra section to allow it to listen upon the network so that it can recieve messages, and tell it where to put them. A minimal network log server will need the following lines added to it:
#
# If you wish to get logs from remote machine you will need this server
# to listen upon port 514.
#
source remote { tcp(port(514) keep-alive(no)); };
#
# Automatic host sorting
# Store all files beneath '/var/log/NAME OF MACHINE/facility
# Create these directories if required, with the given permissions.
#
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
#
# log by host (as defined above) anything that's coming from the
# remote socket.
#
log { source(remote); destination(hosts); };
This sets up the server for recieving messages over the network, and storing them in a directory /var/log/HOSTS/ named after the hostname of the sending machine.
The next job is to install syslog-ng on the client machines, and then tell them to send their logs to the central server in addition to logging locally.
This can be achieved by adding the following lines to their syslog-ng.conf files:
#
# Log remotely
#
###############################################################
## The IP address of the loghost.
destination loghost {tcp("192.168.1.1" port(514));};
# send everything to loghost now that we've defined it.
log { source(src); destination(loghost); };
###############################################################
After restarting the syslog-ng proceeses on the server and the client with /etc/init.d/syslog-ng restart you should now see logfiles arriving.
If you want more details on using the package you should look at the information contained in /usr/share/doc/syslog-ng and contained online at the syslog-ng homepage.
Fully Hosted AntiSpam & AntiVirus
Fully managed SPAM & Virus filtering of your incoming Email.
You can do this with syslog too!
For the host, the one that will be recieving the syslogs of other computers, syslogd needs to be started with the -r option to allow remote logging.
On the hosts that will be sending their logs, put an entry such as "*.* @loghost" inside syslog.conf to log everything remotely.
[ Parent | Reply to this comment ]
But (as far as I know) you can't have the log output from the different computers in different files.. At least I haven't figured out how.
[ Parent | Reply to this comment ]
I wonder if I could use this over shfs so that the server could be somewhere remote. I also wonder if, in the case the network is down, it can cache the unsent log stuff to be sent when available.
[ Parent | Reply to this comment ]
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY.log" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
which creates /var/log/HOSTS/ip/facility.log rather than /var/log/HOSTS/ip/facility. Logcheck and alike will be happier with the file extension. cheers, piem
[ Parent | Reply to this comment ]
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY.log"); }; the default debian installation already has options for the rest and the only reason you'd do that is if you wanted different permissions to the logs than the default options. Why would anybody want that if they weren't specifically looking for it? Also like somebody else already said. (s_all) instead of (src) for the client machines these days...
[ Parent | Reply to this comment ]
# send everything to loghost now that we've defined it.
log { source(src); destination(loghost); };
to this:
log { source(s_all); destination(loghost); };
Hope that helps someone ;)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
waltico
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
Don't forget to fix the errors it contains.
[ Parent | Reply to this comment ]
Fully Hosted AntiSpam & AntiVirus
Fully managed SPAM & Virus filtering of your incoming Email.