Cool Solutions: Centralized Syslogging with Syslog-NG on SUSE Linux http://www.novell.com/coolsolutions/feature/18044.

html

LOGIN United States, English CHANGE

Solutions Products Services & Support Partners & Communities About Novell How to Buy

Centralized Syslogging with Syslog-NG on

Cool Solutions Home (New) SUSE Linux
Classic Cool Solutions Novell Cool Solutions: Feature
Home By Scott Flowers
Authors
Cool Blogs Reader Rating from 12 ratings Rate This Page
Cool Solutions Wiki tell a friend printer friendly
Cool Tools
Get Involved > Digg This - Slashdot This
Open Audio (podcasts)
Posted: 2 Nov 2006

Introduction

A key aspect of management of network servers and devices is regular review of log messages. Log messages can also be
used forensically to troubleshoot network problems. On many types of systems including Linux and UNIX servers and various
other networking devices like switches and routers, system message logging follows a standardized format known as syslog
messages. One way to improve IT management and administration is to centralize syslog messages from all the diverse devices
on a corporate network onto a single syslog server or loghost. Centralization allows the use of automated log analysis tools to
alert and search for specific message types, improving the tools available to system administrators to manage networks. This
paper describes how to configure a SUSE Linux Enterprise Server 9 or OES Linux server to act as a simple centralized
loghost, and how to configure SLES servers and desktops to log system messages to that host over the network.

Syslog-NG

Syslog-NG is the next generation of syslog, the logger that has been part of UNIX and Linux for many years. It is designed to
allow flexible logging of system messages from various systems to different formats, including text files, databases, email
messages and more. It also has sophisticated filtering mechanisms which allow different system messages for a given host to
be routed to different logging mechanisms depending on type or severity. For example, messages with a low severity could be
logged to file, while messages with higher severity could be logged to file and emailed to the sysadmin's mobile phone for
immediate action. Syslog-NG comes with SLES 9 and NLD 9 as an alternative to the default, which is the old BSD-based
syslogd. On SLES and SLED 10, Syslog-NG is the default system logger.

Configuring Syslog-NG on SLES 9

Enabling Syslog-NG

Note: If you are using SLES 10, Syslog-NG is already enabled and this step is unnecessary.

By default SLES 9 uses syslogd, not Syslog-NG. The first step required in building a loghost on SLES 9 is to enable
Syslog-NG. To do this, you must first stop syslogd by running /etc/init.d/syslogd stop in a terminal. Next, enable syslog-NG by
editing the file /etc/sysconfig/syslog. Find this line:

SYSLOG_DAEMON="syslogd"

and replace it with this:

SYSLOG_DAEMON="syslog-ng"

Save the file and run to update the system's syslog configuration.

Configuring Loghost to Receive Log Messages

By default Syslog-NG is configured only to log messages from the host it is running on. If you want a centralized loghost, you
must enable Syslog-NG to receive log messages from over the network. In this article, we will leave the existing configuration of
Syslog-NG in place, so what we are doing won't change the logging that is already setup on the host. However, we will add the
ability to log hosts over the network, so additional logging will come in from other hosts.

To enable Syslog-NG to receive syslog messages from network devices, you have to edit
and add some settings. The file is divided into sections called source, destination, filter and log. On a standard SLES 9
installation, there are some lines in the source section of that file that look like this:

#
# uncomment to process log messages from network:
#
# udp(port(514));

To enable network access to the server, assuming your loghost is located at 192.168.1.42, change these lines to look like this:

1 de 3 6/25/2010 3:33 PM
Cool Solutions: Centralized Syslogging with Syslog-NG on SUSE Linux http://www.novell.com/coolsolutions/feature/18044.html

#
# uncomment to process log messages from network:
#
udp(port(514));
tcp(ip("192.168.1.42") port(5140) keep-alive(yes));

Notice that the pound sign in front of the UDP line has been removed, and the tcp line has been added.

Next, a destination must be defined for network log messages, and a log statement must be included to tell Syslog-NG how to
use the destination. Go to the bottom of the file, add a new line, and then add the following lines.

# this is for separating out network hosts into individual log files.
destination std {
file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(y\es)
);
};
log {
source(src);
destination(std);
};

This sample configuration will save log messages from each host in a separate directory called
. The messages will be split into logfiles based on the facility. The standard facilities are auth, authpriv (for
security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth),
syslog, user, uucp, and local0 to local7 (from the logger man page).

Once the lines have been added, save the file and then run SuSEconfig --module syslog-ng again to make the configuration
changes take effect. Then, run /etc/init.d/syslogd start to start Syslog-NG. The loghost is now ready to accept log messages
from the network.

Configuring Logging to the Loghost from Network Servers

Now that the loghost is ready to receive log messages from hosts on the network, you have to configure your hosts to send
messages to it. If the hosts are based on SLES 9 or OES Linux, you have to follow the steps outlined above to enable
Syslog-NG by editing and then running SuSEconfig. Don't forget to stop syslogd first by running
.

Then, you have to edit to tell the host to send messages to the syslog server. Open
the file and go to the bottom of the file. Assuming your loghost is located at the ip
address 192.168.1.42, add the following lines:

# send everything to log host

destination loghost {
tcp("192.168.1.42" port(5140));
};
log {
source(src);
destination(loghost);
};

After making the changes, save the file and run , and then restart syslogd by running
. Now your host should be configured to send all log messages to your log host.

You can test to see that it works by using the command-line utility logger, which sends messages to the syslogd service.
Logger is also a great way to have your shell scripts or cron scripts send status messages to the system log. To test to see if
your server is configured to send log messages to your loghost, run the following command.

logger user.warn this is a test logger message that should go to my loghost

Navigate the directories on your loghost to the directory. You should see a directory for your
host. It will either be a hostname or an IP address, depending upon whether reverse-lookup works in your DNS environment.
Inside that directory, you should find a log file starting with user that contains your user.warn message.

What's Next?

Now that you have your log files being accumulated on a single log host, you can start doing all kinds of fun stuff with the logs.
You can reconfigure your loghost to also add the messages to a MySQL database, or you can implement a tool called swatch
that watches your log files for particular messages and alerts you about them, or even use swatch to kick off automated
responses to particular log messages. You can also install a tool like Splunk, which allows you to search your logs like google
searches the web.

References

Syslog-NG homepage: http://www.balabit.com/products/syslog_ng/

Syslog-NG faq: http://www.balabit.com/products/syslog_ng/
Centralized Syslog to MySQL: http://vermeer.org/docs/1
Swatch with Syslog-NG: http://www.campin.net/newlogcheck.html#swatch
Swatch homepage: http://swatch.sourceforge.net/
Splunk: http://www.splunk.com/

Like what you see? Want to contribute? Like Wikis?

Sign up for our weekly It could earn you a nano! Join the Cool Solutions

2 de 3 6/25/2010 3:33 PM
Cool Solutions: Centralized Syslogging with Syslog-NG on SUSE Linux http://www.novell.com/coolsolutions/feature/18044.html

newsletter. Learn more. Wiki.

Interested?
Request a sales
call

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell Making IT Work As One™

®
Careers Contact Us Feedback Legal Print © 2010 Novell

3 de 3 6/25/2010 3:33 PM