How to configure syslog server in Linux

Setting Up A Central Syslog Server:-

how to set up a syslog server for one or more Unix systems, on Fedora Core and Ubuntu/Debian.

Linux systems already have syslog installed.

Configure the Server Computers:-

#service syslog stop

and if it fails again, go for the old-school kill command

#ps axfu | grep syslog
copy the PID (number from second column) from the syslog line and

#kill -9 PID
Open /etc/sysconfig/syslog with your favorite text editor
and  Find the line

SYSLOGD_OPTIONS="-m 0"
Replace it with

SYSLOGD_OPTIONS="-rm 0"

Restart the syslog daemon

#service syslog restart

you should see a message similar to “syslog restarted (remote reception) when executing the command

#tail /var/log/messages
you should either find the RC syslog file, edit it and add the “-r” flag to the syslog options or, if you’ve used

the old-school kill command, simply start syslog manually

#syslogd -r

In the final step, you’ll have to make sure the firewall isn’t blocking any incoming packets. Simply run this

iptables command so any rule will be overridden

#iptables -I INPUT -p udp -i eth0 -s 10.10.10.2 -d 10.10.10.1 --dport 514 -j ACCEPT
This rule will ensure that the syslog server (10.10.10.1) will receive UDP packets (containing log events) from the CLIENT (10.10.10.2).

You MUST replace these IP addresses with the correct ones. Also, you will have to re-execute this command for every other client PC you may have (10.10.10.3, 10.10.10.4 etc).

Configure the CLIENT computers:-

The client computers are configured to send any logged event to the syslog server, immediately as the events occur. To do this, edit the file /etc/syslog.conf on every client computer and add this line in  the file

*.* @10.10.10.1


Again, replace the example IP address with the syslog server’s correct IP address.

restart the syslog on every client you’ve edited.

#service syslog restart

make sure the client machine is allowed by the firewall to send UDP packets. Again, you can easily override any rule by running the iptables command.

#iptables -I OUTPUT -p udp -i eth0 -s 10.10.10.2 -d 10.10.10.1 --dport 514 -j ACCEPT

This is it. If everything was done correctly, you should start receiving log events to the syslog server. To view them, run.

#tail -f /var/log/messages


Thanks,
Vishal Vyas

0 comments:

Post a Comment