Saturday, March 15, 2008

Setup a Syslog Server

Step 1. Edit /etc/syslog.conf
-------------------------------------
Edit /etc/syslog.conf and add the following lines:

# ------------------------ /etc/syslog.conf -------------------------------
#    Consult the syslog.conf(5) manpage.

+10.0.0.1
*.*                        /var/log/server1.log

+10.0.0.2
*.*                        /var/log/server2.log

+10.0.0.3
*.*                        /var/log/server3.log

*.err;kern.warning;auth.notice;mail.crit        /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err    /var/log/messages
security.*                    /var/log/security
auth.info;authpriv.info                /var/log/auth.log
mail.info                    /var/log/maillog
lpr.info                    /var/log/lpd-errs
ftp.info                    /var/log/xferlog
cron.*                        /var/log/cron
*.=debug                    /var/log/debug.log
*.emerg                        *

!startslip
*.*                        /var/log/slip.log

!dhcpd
*.*                        /var/log/dhcp.log
 # --------------------- eof -------------------------------------------------



Step 2. Add syslogd_flags="" in /etc/rc.conf
----------------------------------------------------------
Edit /etc/rc.conf and add the following line:
syslogd_flags=""

This will make syslog to listen external logging messages. By default this variable is defined in /etc/defaults/rc.conf with value "-s" to ignore external messages.
After editing /etc/rc.conf file, either reboot your machine or run: /etc/netstart.


Step 3. Restart syslog daemon
------------------------------------------
Make sure that server1.log, server2.log and server3.log files exists and then restart your syslog daemon (if those files does not exist you must create them):

/etc/rc.d/syslogd restart

Syslog uses UDP port 514, make sure this is not blocked from your firewall.

To send logs to this LOG server you must configure the other servers/devices from your network to send logs to this server. You can send logs from Linux, UNIX, BSD machines or from managed devices from your network (for example managed switches or routers). It will work with any syslog client.


Troubleshooting the log server
--------------------------------------------
To troubleshoot if your LOG server receives log message run tcpdump from root shell on port 514. Asuming your network card is em0:

tcpdump -tlni em0 port 514

If you do not receive messages after you run tcpdump then the problem is from your syslog client from device/server you want to log messages from. Check settings on that machine. Also, in next section of this tutorial is a small howto about configuring syslog clients to send messages to your syslog server.

If you do receive messages but syslog does not log them to your defined file, check if you have put in /etc/rc.conf syslog_enable="" and you've restarted the machine or reload network settings.

You can also test logging with logger command (available also on Linux).


Configuring syslog clients to send messages/logs to your syslog server
----------------------------------------------------------------------------------------------------

1. Sending LOGS messages from a FreeBSD server or desktop machine

Put the following line in /etc/syslog.conf and then restart your syslog daemon:

*.*         @10.0.0.10
(then restart your  syslog daemon on client with /etc/rc.d/syslogd restart)

If you want to send only kernel messages, put instead:

kern.*         @10.0.0.10

In this example 10.0.0.10 is the IP of your LOG Server.


2. Sending LOGS messages from a Linux server or desktop machine

Put the following line in /etc/syslog.conf (or /etc/syslogd.conf file, depending on your Linux distribution) and then restart your syslog daemon:
*.*         @10.0.0.10

(then restart your  syslog daemon on client with /etc/init.d/syslogd restart, this command is for Debian Linux, on other distribution it will be different)


3. Sending LOGS messages from a managed switch
You must access your managed switch using your telnet / ssh or web based administation console/interface and enable syslog client to send logs to other machine and configure it to send logs to your LOGS Server. Be carefull to allow that machine to be accepted by your managed switch otherwise it will not work. After setup, save your settings to NVRAM and reboot your device. Test functionality with tcpdump from your LOG Server. You must receive log messages.

To log messages from a Cisco routers or switch use (IOS):
config term
logging 10.0.0.10
logging trap errors
service timestamp log datetime
logging on

or (CatOS):

set logging server 10.0.0.10
set logging server severity 1
set logging timestamp enable
set logging server enable


4. Logging Windows Server/Desktop
By default syslog is not supported by windows. Still there might be third party applications that allows you to send syslog messages to a log server.

For example this project: http://www.syslogserver.com/download.html
 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)