Configure Centralized Syslog server in Linux & setup syslog clients on different platforms

Linux comes with a built-in syslog package that you can use as a centralized syslog server. Basically, it can be used to send all log files from your network devices or appliances in a remote and centralized location. There are also some popular syslog packages for Linux that you can use  such as syslog-ng,rsyslog & splunk syslog server which all offers more features and flexibility.

On this tutorial, we are going to use the syslogd/sysklogd server which is a multi-platform and proven stable software.

[Syslog Server]

1.verify if the sysklogd package is installed.

[root@freelinux ~]# rpm -qa | grep sysklogd
sysklogd-1.4.1-46.el5

2. start the syslog daemon

[root@freelinux ~]# service syslog start
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

3. verify if the process is running

[root@freelinux ~]# ps -ef | grep syslog
root      2174     1  0 17:53 ?        00:00:00 syslogd -m 0
root      2180  2110  0 17:54 pts/1    00:00:00 grep syslog
[root@freelinux ~]# ls -la /var/run | grep syslog
-rw——-  1 root  root     5 Oct  9 17:53 syslogd.pid

4. configure the syslog

configuration files:
/etc/sysconfig/syslog
/etc/syslog.conf

Add the “-r” options to enable logging from the remote machines

[root@freelinux ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS=”-r -m 0″
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
#    once for processing with ‘ksymoops’
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS=”-x”
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for “group” and “other”.

5. Restart the syslog service

[root@freelinux ~]# service syslog restart
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

[Client devices]

configuration file: /etc/syslog.conf

a. Linux servers

[root@freelinux ~]# cat /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

*.* @172.16.0.100

# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

b. Cisco/Motorola devices

Cisco#configure terminal
Cisco#logging facility local6
Cisco#logging 172.16.0.49

c. Juniper OS
darwin@Juniper> configure
Entering configuration mode

{master}[edit]
darwin@Juniper#
darwin@Juniper#  set system syslog host a.a.a.a facility-override local6 any any
darwin@Juniper#commit synch

darwin@Juniper#show configuration

host 172.16.0.100 {
any any;
facility-override local6;
}

d. Unix

# @(#)B.11.11_LR
#
# syslogd configuration file.
#
# See syslogd(1M) for information about the format of this file.
#
mail.debug              /var/adm/syslog/mail.log
*.info;mail.none;local1.none;local2.none;local5.none;local6.none;local7.none    /var/adm/syslog/syslog.log
*.alert                 /dev/console
#*.alert                        root
*.emerg                 *
local4.info             /var/adm/syslog/fw.log
local6.info             /var/adm/syslog/cisco.log

e. Windows

There’s no way to directly configure the syslog clients or send your event log messages to syslog server. You have to use syslog clients such as Snare & winlogd which I will not cover on this tutorial. Alternative way, is send your event logs as snmp traps by configuring your SNMP service & using the event to trap translator or “evntwin” command.

Additional Tips:

1. To make syslogd, re-read its configuration file, send it a HANGUP  signal:
[root@freelinux ~]# kill -HUP `cat /var/run/syslog.pid`

2. Familiarize with syslog facility and severity levels. A good reference about this is Wiki http://en.wikipedia.org/wiki/Syslog. Sample syslog.conf is on the Config-Scripts Section to show how this will be very useful for system administrators.

3.You can verify messages if it’s being logged in your syslog or if you want to test your /etc/syslog.conf, you can use the “logger” command

e.g.
@/etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

[root@freelinux ~]# logger -p user.info “Test Message”
[root@freelinux ~]# tail /var/log/messages
Oct 11 21:25:39 localhost root: Test Message