Monday, 13 January 2014

How to configure syslog Server and Client

 Centralized log server (syslog server)

Suppose we have a server and 5 client machines. And we want to monitor the logs of all those client machines. In situations like this, we will use centralized server as a log server. Whatever events are happening in client machines, the logs will be sent to the server. So that we can monitor all the logs from a centralized server. We make use of syslog service for this.

 Features of syslog

1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console

rsyslog.i386:Enhanced system logging and kernel message trapping daemon

sysklogd.i386:System logging and kernel message trapping daemons.

[root@localhost ~]# rpm -q sysklogd
[root@localhost ~]#
[root@localhost ~]# rpm -qf /etc/syslog.conf

# yum install sysklogd

# service syslog status
syslogd (pid  1929) is running...
klogd (pid  1932) is running...

I. Server Configuration (Where all logs will collect from remote machines)  ----

Service name: syslog
configuration file: # vim /etc/sysconfig/syslog  ----- Server Configuration File

Port: 514

1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.

[root@server ~]# vim /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#

2. Restart the syslog service.
# service syslog restart

Shutting down kernel logger:  [  OK  ]
Shutting down system logger:  [  OK  ]
Starting system logger:       [  OK  ]
Starting kernel logger:       [  OK  ]

# chkconfig syslog on

II. Configuration for Client Machines ----

service name: syslog
Configuration file: /etc/syslog.conf --- Client Configuration File

# vim /etc/syslog.conf

The configuration file /etc/syslog.conf has two parts
*.info;mail.none;authpriv.none;cron.none  /var/log/messages
[selector field(Facility.priority)]        [action field]

 They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.

Facility examples are (authpriv,kern,mail,local7 etc)

The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert,emerg(panic(7))

Actions can be regular files,console,list of users,remote machine ip etc.

1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.

# vim /etc/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                    /dev/console
*.* @

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                /var/log/secure

# Log all the mail messages in one place.
mail.*                                    -/var/log/maillog

# Log cron stuff
cron.*                                   /var/log/cron

# Everybody gets emergency messages
*.emerg                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                         /var/log/spooler

# Save boot messages also to boot.log
local7.*                               /var/log/boot.log

# FTP Log                               /var/log/xferlog

# Cron log
cron.*                                /var/log/cron

# Save news errors of level crit and higher in a special file.
uucp,news.crit                       /var/log/spooler

if you want to check the cron logs from a client machine, go to the appropriate log file in server machine and watch the logs.

2. Restart the service

# service syslog restart

In server open a terminal and watch /var/log/messages and restart syslog service in client. You can see the log from clinet coming to server.

# tailf /var/log/messages  -----> In Server

now restart syslod service in client machine

Dec 11 07:59:51 kernel: Kernel logging (proc) stopped.
Dec 11 07:59:51 kernel: Kernel log daemon terminating.
Dec 11 07:59:51 exiting on signal 15
Dec 11 07:59:52 syslogd 1.4.1: restart.
Dec 11 07:59:52 kernel: klogd 1.4.1, log source = /proc/kmsg started.

Here show the response coming from the client machine.

"Date Hostname Name_of_the_application: Actual_log_message"

Dec 11 07:59:51 kernel:KernelLogging(proc)stopped.
  Date           Hostname   Name_of_the_application:

Allow the port 514 and UDP connection in IPtables if you are using any.

# The Default rule i used is DROP, so you can use the rule as your own

# Allow incoming and outgoing syslogd services

-A INPUT -i eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT

-A OUTPUT -o eth0 -p udp --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p udp --sport 514 -m state --state ESTABLISHED -j ACCEPT

No comments:

Post a Comment