Posted by Steve on Wed 6 Oct 2004 at 16:31
Most administrators will be familiar with syslog. It is a standard Unix program which is in charge of handling different log or notice messages and sending them to a file where they may be examined. The files produced vary from system to system but tend to include:/var/log/auth.log /var/log/messages /var/log/syslog /var/log/kern.logThese files are controlled by the settings in /etc/syslog.conf, which defines which messages should be logged to a file, and which ones should just be ignored. Each message sent to the syslog server has two pieces of information associated with it in addition to the actual message. These are the name of message type (called the facility) a severity level for the message. Syslog tends to be setup so that messages from particular services end up in dedicated files. A good example of this is the handling of mail logs. If you are running a mail server such as exim or sendmail chances are that it will send messages to syslog with the facility set to 'mail'. These messages can all be written to a file with a setting such as this:
mail.* -/var/log/mailThis line in /etc/syslog.conf will allow all messages of type mail to be logged into the file /var/log/mail. The lines are matched by either facility or severity level. In this case we only care about the facility being 'mail', and we accept any severity signified by '*' . When you look after a group of machines chances are you will not often look at the logfiles produced, even if you are keeping an eye upon logfiles, it's just too much effort to login to multiple machines and watch the logfiles. An alternative approach is to cause all the log messages to be sent to a single machine, which can recieve all logs and allow you to look at them all in one place. This is one of the things that syslog-ng allows. Install it with a apt-get install syslog-ng, then look at the configuration file /etc/syslog-ng/syslog-ng.conf. For the machine which you intend to receive all the messages you will need to add an extra section to allow it to listen upon the network so that it can recieve messages, and tell it where to put them. A minimal network log server will need the following lines added to it:
#
# If you wish to get logs from remote machine you will need this server
# to listen upon port 514.
#
source remote { tcp(port(514) keep-alive(no)); };
#
# Automatic host sorting
# Store all files beneath '/var/log/NAME OF MACHINE/facility
# Create these directories if required, with the given permissions.
#
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY" owner(root)
group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
#
# log by host (as defined above) anything that's coming from the
# remote socket.
#
log { source(remote); destination(hosts); };
This sets up the server for recieving messages over the network, and storing them in a directory /var/log/HOSTS/ named after the hostname of the sending machine.
The next job is to install syslog-ng on the client machines, and then tell them to send their logs to the central server in addition to logging locally.
This can be achieved by adding the following lines to their syslog-ng.conf files:
#
# Log remotely
#
###############################################################
## The IP address of the loghost.
destination loghost {tcp("192.168.1.1" port(514));};
# send everything to loghost now that we've defined it.
log { source(src); destination(loghost); };
###############################################################
After restarting the syslog-ng proceeses on the server and the client with /etc/init.d/syslog-ng restart you should now see logfiles arriving.
If you want more details on using the package you should look at the information contained in /usr/share/doc/syslog-ng and contained online at the syslog-ng homepage.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2004 Steve - please ask for permission to republish or translate.