Syslog, Setting Up Your Own Syslog Server

A simple guide to setup you own Syslog Server.

Building your own Syslog Environment.

Ever wanted to collect those local system logs to one
place? Setting up your Unix/Linux/Windows Machines to log
to one dedicated Syslog server is actually very easy.

#### Setting up the Syslog Server. ####

First out, you will need simple machine, preferably running
some Unix dialect, with Syslog or Syslog-Ng installed.

The Syslog daemon is most likely running on your system already,
but to make sure, check for it's presence with a ps -ef| grep syslogd

# ps -ef | grep syslogd
root 2153 1 0 Apr19 ? 00:00:00 syslogd -m 0
salt 15126 15125 0 15:29 pts/0 00:00:00 /bin/bash -c ps -ef| grep syslogd


# If syslogd is running, you and you want to be able to receive log messages from
the network, you will have to run syslogd with the -r option. Edit the /etc/sysconfig/syslog
file to make the changes permanent.

# vi /etc/sysconfig/syslog

---syslog------------------
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"

---syslog-file---------------

Add the -r option on line 6 after SYSLOGD_OPTIONS="-m 0" so it says SYSLOGD_OPTIONS="-m 0 -r"
Restart your syslog server.

# /etc/init.d/syslogd restart

Your systems should now be able to collect those network logs.


#### Edit your Client to send logdata to the Syslog server ####


After checking for syslogd, edit the syslog.conf file, under /etc/syslog.conf
Just add @syslogserver <-- after *.* for example and restart your syslogd daemon.
Don't bother about the wildcard *.* for now, you can tune that later on.

Now as user root.

# vi /etc/syslog.conf

----------------------------------------------------------------------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# *.info;mail.none;authpriv.none;cron.none /var/log/messages
*.* @syslogserver <-- EDIT Rec SYSLOGSERVER ADDRESS

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
------------------------------------------------------------------------------

After adding *.* at and @syslogserver to line 7, see what kind of logs I get.
But don't forget to restart your syslog daemon first. It will need to re-read
your syslog.conf file.

# /etc/init.d/syslogd restart

You should now be able to see incoming logdata on your syslogserver.
# tail -f /var/log/messages

Enjoy!