Hi,
Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.
Sorry to ask but are there any guides out there on how to do this?
These are SLES 11 machines
I don’t know of any guides but this is how I accomplished it:
cd /etc/syslog-ng
cp -p syslog-ng.conf syslog-ng.conf.new
vi syslog-ng.conf.new
Uncomment the last two lines and modify the first line. The modification is in bold.
Enable this and adopt IP to send log messages to a log server.
destination logserver { udp(“your_log_server_DNS_goes_here” port(514)); };
log { source(src); destination(logserver); };
:wq
To implement:
cd /etc/syslog-ng
mv syslog-ng.conf.new syslog-ng.conf
/etc/rc.d/syslog restart
Hope this helps.
Harley
Hi PeterHands,
[QUOTE=PeterHands;29391]Hi,
Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.
Sorry to ask but are there any guides out there on how to do this?
These are SLES 11 machines[/QUOTE]
It’d be helpful to add a little detail to your question:
a - what vresion of SLES11 (SP4 is latest, saying “SLES11” would usually mean the version without any service packs, which would be horrendously outdated)
b - which syslog are you using, “syslog-ng” (as Harley was referring to) or rsyslog?
There are two sides to your question:
- How to make the clients send their syslogs to the central syslog server? This part was answered by Harley for syslog-ng, using udp packets. With rsyslog, have a look at /etc/rsyslog.d/remote.conf
- How to make the central syslog server receive these messages, and store them comfortably?
If the central server is syslog-ng (rather typical for i.e. SLES11SP3), then you’ll need to tell it to listen for the incoming packets i.e. via the following “source” declaration in /etc/syslog-ng/syslog-ng.conf:
[FONT=monospace][COLOR=#000000]source net { [/COLOR]
udp(ip([COLOR=#b21818]"0.0.0.0"[/COLOR][COLOR=#000000]) port(514)); [/COLOR]
};
In addition, you’ll have to tell syslog-ng what to do with these messages (no current rule will reference the source named “net” yet). I have decided to keep all messages in separate files per sending host, as not to mix too many message sources in a single file:
[/FONT]
[FONT=monospace] [/FONT] [FONT=monospace][COLOR=#1818b2]# remote logging[/COLOR][COLOR=#000000] [/COLOR]
destination remotemessages { file( [COLOR=#b21818]"/var/log/hosts/$HOST.log"[/COLOR][COLOR=#000000]); }; [/COLOR]
log { source(net); destination( remotemessages); };
As you can see, these files even go in a separate subdirectory. You’ll need to adopt your logrotation rules to that, though: Else you’ll end up with pretty large files clobbering your /var/log/hosts file system…
Regards,
Jens
[/FONT]
[FONT=monospace] [/FONT]
there is also an Novell Cool Solutions article on doing this with syslog-ng: