This site is now 100% read-only, and retired.

Sending system messages to a central location.

Posted by Steve on Wed 6 Oct 2004 at 16:31

Most administrators will be familiar with syslog. It is a standard Unix program which is in charge of handling different log or notice messages and sending them to a file where they may be examined. The files produced vary from system to system but tend to include:
/var/log/auth.log
/var/log/messages
/var/log/syslog
/var/log/kern.log
These files are controlled by the settings in /etc/syslog.conf, which defines which messages should be logged to a file, and which ones should just be ignored. Each message sent to the syslog server has two pieces of information associated with it in addition to the actual message. These are the name of message type (called the facility) a severity level for the message. Syslog tends to be setup so that messages from particular services end up in dedicated files. A good example of this is the handling of mail logs. If you are running a mail server such as exim or sendmail chances are that it will send messages to syslog with the facility set to 'mail'. These messages can all be written to a file with a setting such as this:
mail.*                          -/var/log/mail
This line in /etc/syslog.conf will allow all messages of type mail to be logged into the file /var/log/mail. The lines are matched by either facility or severity level. In this case we only care about the facility being 'mail', and we accept any severity signified by '*' . When you look after a group of machines chances are you will not often look at the logfiles produced, even if you are keeping an eye upon logfiles, it's just too much effort to login to multiple machines and watch the logfiles. An alternative approach is to cause all the log messages to be sent to a single machine, which can recieve all logs and allow you to look at them all in one place. This is one of the things that syslog-ng allows. Install it with a apt-get install syslog-ng, then look at the configuration file /etc/syslog-ng/syslog-ng.conf. For the machine which you intend to receive all the messages you will need to add an extra section to allow it to listen upon the network so that it can recieve messages, and tell it where to put them. A minimal network log server will need the following lines added to it:
#
#  If you wish to get logs from remote machine you will need this server
# to listen upon port 514.
#
source remote { tcp(port(514) keep-alive(no)); };

#
# Automatic host sorting
# Store all files beneath '/var/log/NAME OF MACHINE/facility
# Create these directories if required, with the given permissions.
#
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY" owner(root) 
  group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };

#
# log by host (as defined above) anything that's coming from the 
# remote socket.
#
log { source(remote); destination(hosts); };
This sets up the server for recieving messages over the network, and storing them in a directory /var/log/HOSTS/ named after the hostname of the sending machine. The next job is to install syslog-ng on the client machines, and then tell them to send their logs to the central server in addition to logging locally. This can be achieved by adding the following lines to their syslog-ng.conf files:
#
# Log remotely
#
###############################################################
## The IP address of the loghost. 
destination loghost {tcp("192.168.1.1" port(514));};

# send everything to loghost now that we've defined it.
log { source(src); destination(loghost); };
###############################################################
After restarting the syslog-ng proceeses on the server and the client with /etc/init.d/syslog-ng restart you should now see logfiles arriving. If you want more details on using the package you should look at the information contained in /usr/share/doc/syslog-ng and contained online at the syslog-ng homepage.

 

 


Re: Sending system messages to a central location.
Posted by Anonymous (127.0.xx.xx) on Thu 14 Oct 2004 at 11:51

You can do this with syslog too!

For the host, the one that will be recieving the syslogs of other computers, syslogd needs to be started with the -r option to allow remote logging.

On the hosts that will be sending their logs, put an entry such as "*.* @loghost" inside syslog.conf to log everything remotely.

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (127.0.xx.xx) on Tue 19 Oct 2004 at 23:13

But (as far as I know) you can't have the log output from the different computers in different files.. At least I haven't figured out how.

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (127.0.xx.xx) on Tue 2 Nov 2004 at 07:00

I wonder if I could use this over shfs so that the server could be somewhere remote. I also wonder if, in the case the network is down, it can cache the unsent log stuff to be sent when available.

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (138.37.xx.xx) on Tue 20 Sep 2005 at 14:41
i think the following snipnet for the syslog-ng.conf on the server read with a .log, as follow:
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY.log" owner(root) 
    group(root) perm(0600) dir_perm(0700) create_dirs(yes)); };
which creates /var/log/HOSTS/ip/facility.log rather than /var/log/HOSTS/ip/facility. Logcheck and alike will be happier with the file extension.

cheers, piem

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (68.3.xx.xx) on Thu 30 Nov 2006 at 07:53
I think your right. But I think there is more to do here. I think it should really be.
destination hosts { file("/var/log/HOSTS/$HOST/$FACILITY.log"); };
the default debian installation already has options for the rest and the only reason you'd do that is if you wanted different permissions to the logs than the default options. Why would anybody want that if they weren't specifically looking for it? Also like somebody else already said. (s_all) instead of (src) for the client machines these days...

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (69.59.xx.xx) on Fri 28 Oct 2005 at 00:50
I got an error on the client machine during startup and changed this:

# send everything to loghost now that we've defined it.
log { source(src); destination(loghost); };

to this:
log { source(s_all); destination(loghost); };

Hope that helps someone ;)

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (80.63.xx.xx) on Mon 27 Feb 2006 at 09:53
It does, thanks!

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (64.76.xx.xx) on Thu 16 Mar 2006 at 22:16
good, so good, excelent, i needed mount a central logserver and i did it...maybe i copy/paste part of this article at my blog, can i modify & traduce to spanish this article ?


waltico

[ Parent ]

Re: Sending system messages to a central location.
Posted by bacula (195.14.xx.xx) on Fri 28 Apr 2006 at 11:38
[ View Weblogs ]
if you are looking for more detailed article with php-syslog-ng web interface check this nice article

[ Parent ]

Re: Sending system messages to a central location.
Posted by Steve (212.20.xx.xx) on Fri 28 Apr 2006 at 11:47
[ View Weblogs ]

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (95.21.xx.xx) on Fri 31 May 2013 at 16:29
Esto es para cygwin en windows 7

destination cristina {tcp ("192.168.2.201") port (514) };
source pepito { file ("/cygdrive/c/Usuarios/Administrador/Escritorio/error_sistem a.csv"); };
log { source(pepito); destination(cristina) };

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (95.21.xx.xx) on Fri 31 May 2013 at 16:39
tar -jcvf $DIRECT /home/alumnesmx -N $fecha_ayer

[ Parent ]

Re: Sending system messages to a central location.
Posted by Anonymous (95.21.xx.xx) on Fri 31 May 2013 at 16:41
destination user {tcp ("tu_ip") port (514) };
source pepe { file ("/cygdrive/c/Usuarios/Administrador/Escritorio/error_sistem a.csv"); };
log { source(pepe); destination(user) };

[ Parent ]