Syslog

Setting Up A Central Syslog Server

how to set up a syslog server for one or more Unix systems, on Fedora Core and Ubuntu/Debian.

Linux systems already have syslog installed.

Configure the Server Computers:-

#service syslog stop

and if it fails again, go for the old-school kill command

#ps axfu | grep syslog

copy the PID (number from second column) from the syslog line and

#kill -9 PID

Open /etc/sysconfig/syslog with your favorite text editor
and  Find the line

SYSLOGD_OPTIONS="-m 0"

Replace it with

SYSLOGD_OPTIONS="-rm 0"

Restart the syslog daemon

#service syslog restart

you should see a message similar to “syslog restarted (remote reception) when executing the command

#tail /var/log/messages

you should either find the RC syslog file, edit it and add the “-r” flag to the syslog options or, if you’ve used

the old-school kill command, simply start syslog manually

#syslogd -r

In the final step, you’ll have to make sure the firewall isn’t blocking any incoming packets. Simply run this

iptables command so any rule will be overridden

#iptables -I INPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT

This rule will ensure that the syslog server (10.10.10.1) will receive UDP packets (containing log events) from the CLIENT (10.10.10.2).

You MUST replace these IP addresses with the correct ones. Also, you will have to re-execute this command for every other client PC you may have (10.10.10.3, 10.10.10.4 etc).

Configure the CLIENT computers:-

The client computers are configured to send any logged event to the syslog server, immediately as the events occur. To do this, edit the file /etc/syslog.conf on every client computer and add this line in  the file

*.* @192.168.1.1

Again, replace the example IP address with the syslog server’s correct IP address.

restart the syslog on every client you’ve edited.

#service syslog restart

make sure the client machine is allowed by the firewall to send UDP packets. Again, you can easily override any rule by running the iptables command.

#iptables -I OUTPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT

This is it. If everything was done correctly, you should start receiving log events to the syslog server. To view them, run.

#tail -f /var/log/messages

Getting Familiar with Linux Logs:-

Discover the basics of viewing/searching through common Linux log files on command line as well as through a GUI and discover one of the coolest visualizations for apache log files.

In almost all Linux distributions the Linux log files are stored in ‘/var/log‘ directory. You can learn more about Linux directory structure in this article.

A common way to watch log files is to use the -f flag and tail. Most log files are protected so you will need elevated privileges to view them.

Show the last few logins and display new ones as they are authenticated. Ctrl + C to quit.

sudo tail -f auth.log

An even better way is to use, less with the F option.

sudo less +F auth.log

This does the same thing as tail -f but it will also show the entire file, just press ctrl + c to navigate around the log file. When you want to view the log in real time again just type a capital F.

Common Log Files

• auth.log – Authentication info
• boot.log – Boot info
• crond – Scheduled cron tasks
• daemon.log – Daemon specific alerts like, dhcpd, gnome-session, ntfs-3g
• dmesg – Kernel specific messages
• errors.log – As you may have guess this logs errors
• everything.log – A misc. catch all log
• httpd – Apache access and error logs
• mail.log – Mail server logs
• messages.log – General system alerts
• mysqld.log – MySQL database log
• secure – Security log
• syslog.log – A log for the log system
• vsftpd.log – A log for the FTP server, vsftpd
• Xorg.0.log – X log

You will probably quickly notice that there are a lot of duplicate looking files in /var/log with numbers at the end of them. Some of them might even have .gz at the end. These are called rotated logs. Usually the log rotator ‘logrotate‘ is responsible for rotating old logs at a specified interval in ‘/etc/logrotate.conf‘. For more information about logroate do, ‘man logrotate‘.