Simple HOW TO’s ….
How to setup a Syslog Server:
Step #1. Configuring the client machines logging facilities.
The first step when setting up your log server is to configure your linux machines syslog daemon to send there log files to an alternate location, the logserver. /etc/syslogd.conf is the configuration file that controls how linux will log data and where it will log it. Use your favourite text editor (pico or vi for example) and add the following line:
[root@localhost]# vi /etc/syslogd.conf
*.* [hit tab a few times] @logserver
NOTE: This will tell syslogd to send logs to a machine called "logserver"Step #2. Restart syslogd on the client machine.
After making your changes, restart syslogd so it will start with its new configuration.
[root@localhost]# killall -HUP syslogd
Step #3. Configure your client machines firewall.
If your client machine is running a firewall, then you need to add a rule that will allow outgoing udp packets from the client machine to the logserver.
[root@localhost]# /sbin/ipchains -A output -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT
NOTE: this rule is only for users who are running a firewall on there machine. It allows outgoing udp packets on the client machine (192.168.0.1) on port 514 (syslog port) to the loghost (192.168.0.2). If your not running a firewall, disgard it.
Step #4. Configure the logserver for "remote reception".
Now that we have configured the client's machine to send log files to a machine called "logserver", lets setup the log server so that it accepts incoming logs from other machines. To stop the syslog daemon, you can find its process ID (PID) and kill it, then restart syslogd with "remote reception" enabled.
[root@logserver]# ps -aux | grep "syslogd"
root 1292 0.0 0.2 1404 176 ? S Aug10 0:00 /usr/sbin/syslogd
The process ID of syslogd is "1292" so we need to stop syslogd, make the change and then restart it.
[root@logserver]# kill 1292
(or try kill -9 1292 if the process did not terminate)
Now that the syslog daemon has be shutdown, we can now start it again with "remote reception" enabled.
[root@logserver]# /usr/sbin/syslogd -rm 0
NOTE: the -r means "remote reception" and the -m 0 turns of the annoying "--MARK--" timestamp.
Step #5. Verify the logserver's syslog daemon is correctly configured.
Verify that syslogd has been restarted with remote reception enabled by checking /var/log/messages (or /var/log/secure on some systems)
[root@logserver]# cat /var/log/messages
Near the bottom you should see..
Aug 11 21:20:30 logserver syslogd 1.3-3: restart. (remote reception)
Yup it worked. The linux machine called "logserver" is now setup for remote reception of log files from other machines on the network.
Step #6. Configure your firewall.
If your logserver is running a firewall, then you need to add a rule that will allow incoming udp packets from the client machine to the logserver.
[root@logserver]# /sbin/ipchains -A input -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT
This rule is only for users who are running a firewall on their logserver. It allows incoming udp packets from the client machine (192.168.0.1) on port 514 (syslog port) to the logserver (192.168.0.2) If your not running a firewall, disgard it.
Step #7. Verify everything works correctly.
The last step is to verify that everything is working correctly. To do that, log out of your client machine and log back in, then go to your log server and check /var/log/messages (or /var/log/secure on some systems) and you should see the login from the client machine. If something does go wrong, make sure your network is setup correctly (ie are you able to ping other machines on your network? and is /etc/hosts setup on each machine?) make sure you have your log servers syslog daemon setup for remote recetpion (/usr/sbin/syslogd -rm 0) and make sure after you edit /etc/syslog.conf on the client machine you restart the syslog daemon (killall -HUP syslogd).
Now check your logservers log file (/var/log/messages or /var/log/secure) and you should see something like this
[root@logserver]# cat /var/log/messages
Aug 14 18:36:19 slackware login: ROOT LOGIN on `tty2'
NOTE: We are logged onto the logserver and root's login on the client machine showed up in our log files. So everything is working correctly. Congrats.
***You may also try to edit your syslog script to automatically start your syslog daemon to enable remote reception:
[root@logserver]# vi /etc/rc2.d/S12syslog
# Source config
if [ -f /etc/sysconfig/syslog ] ; then