Centralized log server (syslog server)
Suppose we have a server and 5 client machines. And we want to monitor the logs of all those client machines. In situations like this, we will use centralized server as a log server. Whatever events are happening in client machines, the logs will be sent to the server. So that we can monitor all the logs from a centralized server. We make use of syslog service for this.
Features of syslog
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
rsyslog.i386:Enhanced system logging and kernel message trapping daemon
sysklogd.i386:System logging and kernel message trapping daemons.
[root@localhost ~]# rpm -q sysklogd
sysklogd-1.4.1-46.el5
[root@localhost ~]#
[root@localhost ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-46.el5
# yum install sysklogd
# service syslog status
syslogd (pid 1929) is running...
klogd (pid 1932) is running...
I. Server Configuration (Where all logs will collect from remote machines) ---- 192.168.0.140
Service name: syslog
configuration file: # vim /etc/sysconfig/syslog ----- Server Configuration File
Port: 514
1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.
[root@server ~]# vim /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#
2. Restart the syslog service.
# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
# chkconfig syslog on
II. Configuration for Client Machines ---- 192.168.0.108
service name: syslog
Configuration file: /etc/syslog.conf --- Client Configuration File
# vim /etc/syslog.conf
The configuration file /etc/syslog.conf has two parts
Eg:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
[selector field(Facility.priority)] [action field]
They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.
Facility examples are (authpriv,kern,mail,local7 etc)
The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert,emerg(panic(7))
Actions can be regular files,console,list of users,remote machine ip etc.
1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.
# vim /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @192.168.0.140
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# FTP Log
ftp.info /var/log/xferlog
# Cron log
cron.* /var/log/cron
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
if you want to check the cron logs from a client machine, go to the appropriate log file in server machine and watch the logs.
2. Restart the service
# service syslog restart
Checking:-
In server open a terminal and watch /var/log/messages and restart syslog service in client. You can see the log from clinet coming to server.
# tailf /var/log/messages -----> In Server
now restart syslod service in client machine
Dec 11 07:59:51 192.168.0.108 kernel: Kernel logging (proc) stopped.
Dec 11 07:59:51 192.168.0.108 kernel: Kernel log daemon terminating.
Dec 11 07:59:51 192.168.0.108 exiting on signal 15
Dec 11 07:59:52 192.168.0.108 syslogd 1.4.1: restart.
Dec 11 07:59:52 192.168.0.108 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Here 192.168.0.108 show the response coming from the client machine.
"Date Hostname Name_of_the_application: Actual_log_message"
Dec 11 07:59:51 192.168.0.108 kernel:KernelLogging(proc)stopped.
Date Hostname Name_of_the_application:
Actual_log_message
Allow the port 514 and UDP connection in IPtables if you are using any.
# The Default rule i used is DROP, so you can use the rule as your own
# Allow incoming and outgoing syslogd services
# INCOMING
-A INPUT -i eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT
# OUTGOING
-A OUTPUT -o eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT
Suppose we have a server and 5 client machines. And we want to monitor the logs of all those client machines. In situations like this, we will use centralized server as a log server. Whatever events are happening in client machines, the logs will be sent to the server. So that we can monitor all the logs from a centralized server. We make use of syslog service for this.
Features of syslog
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
rsyslog.i386:Enhanced system logging and kernel message trapping daemon
sysklogd.i386:System logging and kernel message trapping daemons.
[root@localhost ~]# rpm -q sysklogd
sysklogd-1.4.1-46.el5
[root@localhost ~]#
[root@localhost ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-46.el5
# yum install sysklogd
# service syslog status
syslogd (pid 1929) is running...
klogd (pid 1932) is running...
I. Server Configuration (Where all logs will collect from remote machines) ---- 192.168.0.140
Service name: syslog
configuration file: # vim /etc/sysconfig/syslog ----- Server Configuration File
Port: 514
1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.
[root@server ~]# vim /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#
2. Restart the syslog service.
# service syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
# chkconfig syslog on
II. Configuration for Client Machines ---- 192.168.0.108
service name: syslog
Configuration file: /etc/syslog.conf --- Client Configuration File
# vim /etc/syslog.conf
The configuration file /etc/syslog.conf has two parts
Eg:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
[selector field(Facility.priority)] [action field]
They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.
Facility examples are (authpriv,kern,mail,local7 etc)
The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert,emerg(panic(7))
Actions can be regular files,console,list of users,remote machine ip etc.
1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.
# vim /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
*.* @192.168.0.140
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# FTP Log
ftp.info /var/log/xferlog
# Cron log
cron.* /var/log/cron
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
if you want to check the cron logs from a client machine, go to the appropriate log file in server machine and watch the logs.
2. Restart the service
# service syslog restart
Checking:-
In server open a terminal and watch /var/log/messages and restart syslog service in client. You can see the log from clinet coming to server.
# tailf /var/log/messages -----> In Server
now restart syslod service in client machine
Dec 11 07:59:51 192.168.0.108 kernel: Kernel logging (proc) stopped.
Dec 11 07:59:51 192.168.0.108 kernel: Kernel log daemon terminating.
Dec 11 07:59:51 192.168.0.108 exiting on signal 15
Dec 11 07:59:52 192.168.0.108 syslogd 1.4.1: restart.
Dec 11 07:59:52 192.168.0.108 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Here 192.168.0.108 show the response coming from the client machine.
"Date Hostname Name_of_the_application: Actual_log_message"
Dec 11 07:59:51 192.168.0.108 kernel:KernelLogging(proc)stopped.
Date Hostname Name_of_the_application:
Actual_log_message
Allow the port 514 and UDP connection in IPtables if you are using any.
# The Default rule i used is DROP, so you can use the rule as your own
# Allow incoming and outgoing syslogd services
# INCOMING
-A INPUT -i eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT
# OUTGOING
-A OUTPUT -o eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT
No comments:
Post a Comment