Nicolas314

All my geeky stuff ends up here. Mostly Unix-related

Junior as syslog archiver

with 2 comments

Idea

You have a Junior box or equivalent sitting at the heart of your home network and want to use it as a network syslog archiver for all of your machines.

Aim

All Unix machines on your network store their syslog messages locally and also send them to Junior through UDP packets, where they are stored in separate files for each machine.

Solution

install syslog-ng

The default Debian syslog has the capability to log network-based syslog messages coming from other machines on the same subnet (-r option). Unfortunately, syslog cannot be easily configured to store logs separately
for each machine, so everything ends up in the same files, mixing information from all hosts as well as local messages. This can get quite confusing.

Enters syslog-ng: this new generation brings a lot of useful features, among which the capability to do much better filtering on incoming messages and how to store them. The procedure to install it is as follows:


apt-get install syslog-ng

This will install syslog-ng and remove syslog.

For this example I assume we have a machine on the local network called ‘billy’ at address 192.168.1.10. Modify your /etc/syslog-ng/syslog-ng.conf configuration file as follows:

Add a UDP listener by un-commenting udp() in the source list:

source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
udp();
};

Add another destination for log files generated by billy:

destination df_billy { file("/var/log/billy/messages.log"); };

Add a filter based on IP:

# all messages from billy
filter f_billy { netmask("192.168.1.10/32"); };

There are probably better ways to do filtering than providing a static IP address. Bear with me, I did not want to get any deeper into syslog-ng documentation since this fits the bill.

Add a rule to combine filter and output directory:

# Billy logs
log {
source(s_all);
filter(f_billy);
destination(df_billy);
};

On billy, make sure syslogd is started with option -R x.x.x.x where the latter is the IP address of your syslog archive box.

You should now get messages logged in /var/log/billy/messages.log.

Advertisements

Written by nicolas314

Tuesday 31 July 2007 at 1:31 pm

Posted in Uncategorized

Tagged with , , ,

2 Responses

Subscribe to comments with RSS.

  1. You may also want to have a look at rsyslog (http://www.rsyslog.com). It can also do what you describe, but its configuration file is compliant to stock syslogd. Note that you can create different also with just a special template in the selector line.

    Rainer Gerhards

    Wednesday 1 August 2007 at 7:54 am

  2. Thanks for the pointer! From a brief look at the documentation, it looks like rsyslog has even more features packed in than syslog-ng. And it was designed from the beginning to gather information from several hosts and store into different files.

    NB: rsyslog is not yet available in Debian stable or even as a Debian package, though it is probably very easy to create one.

    nicolas314

    Thursday 2 August 2007 at 4:09 pm


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: