Setting up sending Linux logs to central Syslog server

SUSE Product Topics SLES Configure-Administer
1

Hi,

Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.

Sorry to ask but are there any guides out there on how to do this?

These are SLES 11 machines

2

I don’t know of any guides but this is how I accomplished it:

cd /etc/syslog-ng
cp -p syslog-ng.conf syslog-ng.conf.new
vi syslog-ng.conf.new
Uncomment the last two lines and modify the first line. The modification is in bold.

Enable this and adopt IP to send log messages to a log server.

destination logserver { udp(“your_log_server_DNS_goes_here” port(514)); };
log { source(src); destination(logserver); };
:wq

To implement:
cd /etc/syslog-ng
mv syslog-ng.conf.new syslog-ng.conf

/etc/rc.d/syslog restart

Hope this helps.

Harley

3

Hi PeterHands,

[QUOTE=PeterHands;29391]Hi,

Im fairly new to Linux, but ive been tasked with sending all linux logs to a central syslog server.

Sorry to ask but are there any guides out there on how to do this?

These are SLES 11 machines[/QUOTE]

It’d be helpful to add a little detail to your question:
a - what vresion of SLES11 (SP4 is latest, saying “SLES11” would usually mean the version without any service packs, which would be horrendously outdated)
b - which syslog are you using, “syslog-ng” (as Harley was referring to) or rsyslog?

There are two sides to your question:

  1. How to make the clients send their syslogs to the central syslog server? This part was answered by Harley for syslog-ng, using udp packets. With rsyslog, have a look at /etc/rsyslog.d/remote.conf
  2. How to make the central syslog server receive these messages, and store them comfortably?

If the central server is syslog-ng (rather typical for i.e. SLES11SP3), then you’ll need to tell it to listen for the incoming packets i.e. via the following “source” declaration in /etc/syslog-ng/syslog-ng.conf:

[FONT=monospace][COLOR=#000000]source net { [/COLOR] udp(ip([COLOR=#b21818]"0.0.0.0"[/COLOR][COLOR=#000000]) port(514)); [/COLOR] };

In addition, you’ll have to tell syslog-ng what to do with these messages (no current rule will reference the source named “net” yet). I have decided to keep all messages in separate files per sending host, as not to mix too many message sources in a single file:

[/FONT] [FONT=monospace] [/FONT] [FONT=monospace][COLOR=#1818b2]# remote logging[/COLOR][COLOR=#000000] [/COLOR] destination remotemessages { file( [COLOR=#b21818]"/var/log/hosts/$HOST.log"[/COLOR][COLOR=#000000]); }; [/COLOR] log { source(net); destination( remotemessages); };
As you can see, these files even go in a separate subdirectory. You’ll need to adopt your logrotation rules to that, though: Else you’ll end up with pretty large files clobbering your /var/log/hosts file system…

Regards,
Jens
[/FONT]
[FONT=monospace] [/FONT]

4

there is also an Novell Cool Solutions article on doing this with syslog-ng:

Centralized Syslogging with Syslog-NG on SUSE Linux