The most important attributes for syslog messages are the facility, this is the type of program (24 types) and the severity level (8 levels). The informations contents in each messages are the date, the hostname and the message event itself.
The goal of this paper is to develop a simple centralized syslog server, and it will not discuss of the security part (may be on another paper).
Syslog implementation package have different name depend on the distribution. On Rhel/CentOS 5 --> sylsog, and Rhel/CentOS 6 --> rsyslog. In this paper I use Rhel/CentOS 6, but you can adapt it on the version 5 by replace rsyslog by sylog.
Server: syslog.intra.local
Client: client.intra.local
Step 1: Install rsyslog
Already install on most systems. If not:
[root@syslog]#yum install rsyslog
Step 2: Configure the rsyslog server
Update the file /etc/rsyslog.conf
[root@syslog]#vim /etc/rsyslog.conf
#Turn rsyslog to listen over port 514 on udp (Uncomment or add this line)
$ModLoad imudp$UDPServerRun 514#Configure the file path for each facility (Your are not obliged to configure all facilities):
kern.* /var/log/kern.log #kernel messages
user.* /var/log/user.log #user-level messages
mail.* /var/log/mail.log #mail system
daemon.* /var/log/daemon.log #system daemons
auth.* /var/log/auth.log #security/authorization messages
syslog.* /var/log/syslog.log #messages generated internally by syslogd
lpr.* /var/log/lpr.log #line printer subsystem
news.* /var/log/news.log #network news subsystem
uucp.* /var/log/uucp.log #UUCP subsystem
9.* /var/log/clock.log #clock daemon
authpriv.* /var/log/authpriv.log #security/authorization message
sftp.* /var/log/ftp.log #FTP daemon
12.* /var/log/ntp.log #NTP subsystem
13.* /var/log/audit.log #log audit
14.* /var/log/alert.log #log alert
cron.* /var/log/cron.log #clock daemon
local0.* /var/log/local0.log #local use 0 (local0)
local1.* /var/log/local1.log #local use 1 (local1)
local2.* /var/log/local2.log #local use 2 (local2)
local3.* /var/log/local3.log #local use 3 (local3)
local4.* /var/log/local4.log #local use 4 (local4)
local5.* /var/log/local5.log #local use 5 (local5)
local6.* /var/log/local6.log #local use 6 (local6)
local7.* /var/log/local7.log #local use 7 (local7)
Restart the rsylog's daemon:
[root@syslog]#service rsyslog restart
[root@syslog]#iptables -I INPUT 2 -p udp --dport 514 -j ACCEPT #it will open 514/udp for all network
[root@syslog]#service iptables save
Open the rsyslog daemon file configuration:
[root@client]#vim /etc/rsyslog.conf
Add this : *.* @syslog.intra.local
Step5: Test
For testing, we will use "logger", a shell command interface to send messages to the syslog system.
use: logger -p facility.level "message"
[root@client]#logger -p user.info "This is a test"
on server:
[root@syslog]#tail -1 /var/log/user.log
Jun 1 14:16:05 client root: This is a test
It's all folk!!
With this configuration, all events from all host that send messages on the syslog server will be in one file, for each facility. This is not pratical for searching. We can use rsyslog templates, to organize logs as /var/log/IP_HOST/*.log.
Everyone is not comfortable with the command line, to facilitate searching, reporting and send alerts; for that, we need a more sophisticated tools. On another paper, I will show how to install and configure Graylog. It's an entreprise and open source platform for collecting, indexing, and analyzing both structured and unstructured data from almost any source.
