Syslog


Setting Up A Central Syslog Server

how to set up a syslog server for one or more Unix systems, on Fedora Core and Ubuntu/Debian.

Linux systems already have syslog installed.

Configure the Server Computers:-

#service syslog stop

and if it fails again, go for the old-school kill command

#ps axfu | grep syslog

copy the PID (number from second column) from the syslog line and

#kill -9 PID

Open /etc/sysconfig/syslog with your favorite text editor
and  Find the line

SYSLOGD_OPTIONS="-m 0"

Replace it with

SYSLOGD_OPTIONS="-rm 0"

Restart the syslog daemon

#service syslog restart

you should see a message similar to “syslog restarted (remote reception) when executing the command

#tail /var/log/messages

you should either find the RC syslog file, edit it and add the “-r” flag to the syslog options or, if you’ve used

the old-school kill command, simply start syslog manually

#syslogd -r

In the final step, you’ll have to make sure the firewall isn’t blocking any incoming packets. Simply run this

iptables command so any rule will be overridden

#iptables -I INPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT

This rule will ensure that the syslog server (10.10.10.1) will receive UDP packets (containing log events) from the CLIENT (10.10.10.2).

You MUST replace these IP addresses with the correct ones. Also, you will have to re-execute this command for every other client PC you may have (10.10.10.3, 10.10.10.4 etc).

Configure the CLIENT computers:-

The client computers are configured to send any logged event to the syslog server, immediately as the events occur. To do this, edit the file /etc/syslog.conf on every client computer and add this line in  the file

*.* @192.168.1.1

Again, replace the example IP address with the syslog server’s correct IP address.

restart the syslog on every client you’ve edited.

#service syslog restart

make sure the client machine is allowed by the firewall to send UDP packets. Again, you can easily override any rule by running the iptables command.

#iptables -I OUTPUT -p udp -i eth0 -s 192.168.1.2 -d 192.168.1.1 --dport 514 -j ACCEPT

This is it. If everything was done correctly, you should start receiving log events to the syslog server. To view them, run.

#tail -f /var/log/messages


Getting Familiar with Linux Logs:-

Discover the basics of viewing/searching through common Linux log files on command line as well as through a GUI and discover one of the coolest visualizations for apache log files.

In almost all Linux distributions the Linux log files are stored in ‘/var/log‘ directory. You can learn more about Linux directory structure in this article.

A common way to watch log files is to use the -f flag and tail. Most log files are protected so you will need elevated privileges to view them.

Show the last few logins and display new ones as they are authenticated. Ctrl + C to quit.

sudo tail -f auth.log

An even better way is to use, less with the F option.

sudo less +F auth.log

This does the same thing as tail -f but it will also show the entire file, just press ctrl + c to navigate around the log file. When you want to view the log in real time again just type a capital F.

Common Log Files

  • auth.log – Authentication info
  • boot.log – Boot info
  • crond – Scheduled cron tasks
  • daemon.log – Daemon specific alerts like, dhcpd, gnome-session, ntfs-3g
  • dmesg – Kernel specific messages
  • errors.log – As you may have guess this logs errors
  • everything.log – A misc. catch all log
  • httpd – Apache access and error logs
  • mail.log – Mail server logs
  • messages.log – General system alerts
  • mysqld.log – MySQL database log
  • secure – Security log
  • syslog.log – A log for the log system
  • vsftpd.log – A log for the FTP server, vsftpd
  • Xorg.0.log – X log

You will probably quickly notice that there are a lot of duplicate looking files in /var/log with numbers at the end of them. Some of them might even have .gz at the end. These are called rotated logs. Usually the log rotator ‘logrotate‘ is responsible for rotating old logs at a specified interval in ‘/etc/logrotate.conf‘. For more information about logroate do, ‘man logrotate‘.

Advertisements

6 Responses to “Syslog”

  1. BGruff December 16, 2010 at 11:38 am #

    Do you know if there is an easy way to add files for syslog to watch? Say /usr/my/log.log. I can write a script to see if the file has changed from one minute to the next, but it seems that syslog would have some facility to monitor certain files.

  2. Amit January 1, 2011 at 9:06 pm #

    Hello vishal,

    I have seen your blog its so nice i got lot of good information at your blog. thanks dear 🙂

  3. Vishal Vyas January 3, 2011 at 6:07 am #

    Welcome Friend………………

  4. Qarar January 6, 2012 at 1:20 pm #

    Nice Work. Well Done

  5. insurance June 5, 2013 at 8:59 am #

    I was suggested this web site by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my difficulty. You’re amazing!
    Thanks!

  6. Kaminomoto July 1, 2013 at 12:25 pm #

    You have made some decent points there. I looked on the web for
    additional information about the issue and found most people will go along with your
    views on this web site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: