« Home | Booting Single-User Mode » | Terminal Services - Remote Control your W2K Server » | VI (and Clone) Editor Reference Manual » | VI (and Clone) Editor Reference Manual 1. Introdu... » | Booting Linux into Rescue Mode » | How to harden your Unix Server » | Install the Microsoft Loopback Adapter in Windows ... » | How To Install Microsoft Loopback Adapter in Windo... » | How to install the Microsoft Loopback adapter in W... » | Microsoft Unveils Robotics Studio » 

Wednesday, June 20, 2007 

Simple HOW TO’s …. How to setup a Syslog Server

Simple HOW TO’s ….

How to setup a Syslog Server:

Step #1. Configuring the client machines logging facilities.

The first step when setting up your log server is to configure your linux machines syslog daemon to send there log files to an alternate location, the logserver. /etc/syslogd.conf is the configuration file that controls how linux will log data and where it will log it. Use your favourite text editor (pico or vi for example) and add the following line:

[root@localhost]# vi /etc/syslogd.conf

*.* [hit tab a few times] @logserver

NOTE: This will tell syslogd to send logs to a machine called "logserver"

Step #2. Restart syslogd on the client machine.

After making your changes, restart syslogd so it will start with its new configuration.

[root@localhost]# killall -HUP syslogd


Step #3. Configure your client machines firewall.

If your client machine is running a firewall, then you need to add a rule that will allow outgoing udp packets from the client machine to the logserver.

[root@localhost]# /sbin/ipchains -A output -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT

NOTE: this rule is only for users who are running a firewall on there machine. It allows outgoing udp packets on the client machine (192.168.0.1) on port 514 (syslog port) to the loghost (192.168.0.2). If your not running a firewall, disgard it.


Step #4. Configure the logserver for "remote reception".

Now that we have configured the client's machine to send log files to a machine called "logserver", lets setup the log server so that it accepts incoming logs from other machines. To stop the syslog daemon, you can find its process ID (PID) and kill it, then restart syslogd with "remote reception" enabled.

[root@logserver]# ps -aux | grep "syslogd"

root 1292 0.0 0.2 1404 176 ? S Aug10 0:00 /usr/sbin/syslogd

The process ID of syslogd is "1292" so we need to stop syslogd, make the change and then restart it.

[root@logserver]# kill 1292

(or try kill -9 1292 if the process did not terminate)

Now that the syslog daemon has be shutdown, we can now start it again with "remote reception" enabled.

[root@logserver]# /usr/sbin/syslogd -rm 0

NOTE: the -r means "remote reception" and the -m 0 turns of the annoying "--MARK--" timestamp.


Step #5. Verify the logserver's syslog daemon is correctly configured.


Verify that syslogd has been restarted with remote reception enabled by checking /var/log/messages (or /var/log/secure on some systems)

[root@logserver]# cat /var/log/messages

Near the bottom you should see..


Aug 11 21:20:30 logserver syslogd 1.3-3: restart. (remote reception)


Yup it worked. The linux machine called "logserver" is now setup for remote reception of log files from other machines on the network.

Step #6. Configure your firewall.

If your logserver is running a firewall, then you need to add a rule that will allow incoming udp packets from the client machine to the logserver.

[root@logserver]# /sbin/ipchains -A input -p udp -i eth0 -s 192.168.0.1 -d 192.168.0.2 514 -j ACCEPT


This rule is only for users who are running a firewall on their logserver. It allows incoming udp packets from the client machine (192.168.0.1) on port 514 (syslog port) to the logserver (192.168.0.2) If your not running a firewall, disgard it.

Step #7. Verify everything works correctly.

The last step is to verify that everything is working correctly. To do that, log out of your client machine and log back in, then go to your log server and check /var/log/messages (or /var/log/secure on some systems) and you should see the login from the client machine. If something does go wrong, make sure your network is setup correctly (ie are you able to ping other machines on your network? and is /etc/hosts setup on each machine?) make sure you have your log servers syslog daemon setup for remote recetpion (/usr/sbin/syslogd -rm 0) and make sure after you edit /etc/syslog.conf on the client machine you restart the syslog daemon (killall -HUP syslogd).

[root@localhost]# logout

Login: root

Password: xxxxxxxx

Now check your logservers log file (/var/log/messages or /var/log/secure) and you should see something like this

[root@logserver]# cat /var/log/messages

Aug 14 18:36:19 slackware login[2893]: ROOT LOGIN on `tty2'

NOTE: We are logged onto the logserver and root's login on the client machine showed up in our log files. So everything is working correctly. Congrats.


***You may also try to edit your syslog script to automatically start your syslog daemon to enable remote reception:

[root@logserver]# vi /etc/rc2.d/S12syslog

# Source config

if [ -f /etc/sysconfig/syslog ] ; then

. /etc/sysconfig/syslog

else

SYSLOGD_OPTIONS="-rm 0"

KLOGD_OPTIONS="-2"

fi

7:46 AM |

Post a Comment
Add to Google

The Author

  • Nick Perrydoo
  • Spawn at Philippines
My profile

Previous posts

Archives

Links


Read Ons

Article of the Day

This Day in History

Today's Birthday

In the News

Quotation of the Day

Word of the Day


Powered by Blogger
and Blogger Templates
Email me
Syndicate this site (XML)
© Copyright 2006 Ba-zoo-ra - All Rights Reserved.