Syslog config:
Features:
1. Logs daemon information
2. Logs remotely
3. Accepts, if configured, logs
fromremote hosts: i.e. routers, switches, firewalls, content
switches, Linux Hosts, etc.,
4. Supports: Unix Domain Sockets
(/dev/log)
5. Supports: Internet Sockets:
(UDP:514) and/or (TCP:514)
Centralized log server (syslog server)
Suppose we have a server and 5 client machines. And we want to
monitor the logs of all those client machines. In situations like
this, we will use centralized server as a log server. Whatever events
are happening in client machines, the logs will be sent to the
server. So that we can monitor all the logs from a centralized
server. We make use of syslog service for this.
Features of syslog:
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
Instaltion Package is
sysklogd
[root@apache ~]# rpm -q sysklogd
sysklogd-1.4.1-44.el5
[root@apache ~]#
Or you can check as follows:
[root@apache ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-44.el5
[root@apache ~]#
Starting the syslog daemon
[root@apache ~]# /etc/init.d/syslog start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@apache ~]#
Checking the process name. it is syslogd
[root@apache ~]# ps -ax | grep syslog
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
5190 ? Ss 0:00 syslogd -m 0
5210 pts/0 S+ 0:00 grep syslog
[root@apache ~]#
[root@apache ~]# rpm -q sysklogd
sysklogd-1.4.1-44.el5
[root@apache ~]#
Or you can check as follows:
[root@apache ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-44.el5
[root@apache ~]#
Starting the syslog daemon
[root@apache ~]# /etc/init.d/syslog start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@apache ~]#
Checking the process name. it is syslogd
[root@apache ~]# ps -ax | grep syslog
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
5190 ? Ss 0:00 syslogd -m 0
5210 pts/0 S+ 0:00 grep syslog
[root@apache ~]#
Configuration of server machine(syslog server)
Service name: syslog
configuration file: /etc/sysconfig/syslog
Steps:
1. Open the /etc/sysconfig/syslog file and add "-r"
option to the variable SYSLOGD_OPTIONS as shown below.
[root@server ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode,
and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and
"other".
[root@server ~]#
2. Restart the syslog service.
[root@server ~]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@server ~]#
Configuration for client machines
service name: syslog
Configuration file: /etc/syslog.conf
The configuration file /etc/syslog.conf has two parts
Eg:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
[selector field(Facility.priority)] [action field]
They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.
Facility examples are (authpriv,kern,mail,local7 etc)
The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert, emerg(panic(7))
Actions can be regular files, console, list of users, remote machine ip etc.
Steps:
1. Open the configuration file /etc/syslog.conf and add an
entry to redirect the logs to the remote server.
[root@vm1 ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @192.168.0.19
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
##authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[root@vm1 ~]#
2. Restart the service
[root@vm1 ~]# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@vm1 ~]#
Checking:
In server open a terminal and watch /var/log/messages and restart
syslog service in client. You can see the log from clinet coming to
server.
[root@server ~]# tail -f /var/log/messages
Tasks:
1. Exploration of environment
a. '/etc/rsyslog.conf' - primary
config file
b. '/etc/sysconfig/rsyslog' -
ancillary config file, containing startup options
2. '/etc/rsyslog.conf' - exploration
Selector(s) Action(s)
#### RULES ####
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
authpriv.* /var/log/secure
mail.* /var/log/maillog
cron.* /var/log/cron
*.emerg *
local7.* /var/log/boot.log
3. Configure UDP:514 routing of
messages from Cisco Router
a. '/etc/rsyslog.conf'
Under the Modules uncomment the lines
$Modload imtcp.so
$UDPServerRun 514
b. 'service rsyslog restart'
No comments:
Post a Comment