Centralized log server (syslog server)

Suppose we have a server and 5 client machines. And we want to monitor the logs of all those client machines. In situations like this, we will use centralized server as a log server. Whatever events are happening in client machines, the logs will be sent to the server. So that, we can monitor the logs from a centralized server. We make use of syslog service for this.

Server Side Configuration Steps:

1. Open the /etc/sysconfig/syslog file and add “-r” option to the variable SYSLOGD_OPTIONS as shown below.

[root@server ~]# vim /etc/sysconfig/syslog

# Options to syslogd

# -m 0 disables ‘MARK’ messages.

# -r enables logging from remote machines

# -x disables DNS lookups on messages recieved with -r

# See syslogd(8) for more details

SYSLOGD_OPTIONS=”-r -m 0″

# Options to klogd

# -2 prints all kernel oops messages twice; once for klogd to decode, and

# once for processing with ‘ksymoops’

# -x disables all klogd processing of oops messages entirely

# See klogd(8) for more details

KLOGD_OPTIONS=”-x”

#

SYSLOG_UMASK=077

# set this to a umask value to use for all log files as in umask(1).

# By default, all permissions are removed for “group” and “other”.

2. Restart the syslog service.

[root@server ~]# service syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

Client Side Configuration Steps:

1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.

[root@vm1 ~]# vim /etc/syslog.conf

# Log all kernel messages to the console.

# Logging much else clutters up the screen.

#kern.* /dev/console

 *.* @your-syslogserver-ip

# Log anything (except mail) of level info or higher.

# Don’t log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

##authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

 # Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

2. Restart the service

[root@vm1 ~]# service syslog restart

Shutting down kernel logger: [ OK ]

Shutting down system logger: [ OK ]

Starting system logger: [ OK ]

Starting kernel logger: [ OK ]

Checking:

On server open a terminal and watch /var/log/messages and restart syslog service in client. You can see the log from clinet coming to server.

[root@server ~]# tail -f /var/log/messages

Oct 15 14:42:30 vm1 kernel: Kernel logging (proc) stopped.

Oct 15 14:42:30 vm1 kernel: Kernel log daemon terminating.

Oct 15 14:42:31 vm1 exiting on signal 15

Oct 15 14:42:31 vm1 syslogd 1.4.1: restart.

Oct 15 14:42:31 vm1 kernel: klogd 1.4.1, log source = /proc/kmsg started.

Fields in log from remote machine:

Date Hostname Name_of_the_application: Actual_log_message

Posted in: Linux.
Last Modified: November 19, 2013

Leave a reply