We can configure a Linux host as syslog server to receive all logs from network devices.
- Syslog server runs on UDP port 514. So, by default all network devices send syslogs with UDP DST port=514. Make sure the services file has this UDP port mapped to syslog.
[root@server2 ~]# cat /etc/services | grep syslog syslog 514/udp [root@server2 ~]#
- Syslog messages can be classified based on severity and facility. The available levels for severity are;
0 – Emergency (emerg)
1 – Alerts (alert)
2 – Critical (crit)
3 – Errors (err)
4 – Warnings (warn)
5 – Notification (notice)
6 – Information (info)
7 – Debug (debug)
Available facilities are;
auth – authentication (login) messages
cron – messages from the memory-resident scheduler
daemon – messages from resident daemons
kern – kernel messages
lpr – printer messages (used by JetDirect cards)
mail – messages from Sendmail
user – messages from user-initiated processes/apps
local0-local7 – user-defined
syslog – messages from the syslog process itself
–By default, network devices send syslogs with facility of “local7” [we may have options to tweak this on network device]. So, syslogs can be represented by “facility.severity”
Procedure: [Tested on RedHat Linux running 3.4.6]
- Edit “/etc/syslog.conf” file to specify the file where the logs should be saved.
[root@server2 ~]# cat /etc/syslog.conf | grep local7 local7.debug /var/log/syslog-test.log
- Edit “/etc/sysconfig/syslog” file to enable the logging from remote host (-r). Add “-r” to syslogd options.
[root@server2 ~]# cat /etc/sysconfig/syslog | grep ^[^#] SYSLOGD_OPTIONS="-m 0 -r" KLOGD_OPTIONS="-x" [root@server2 ~]#
- Restart the syslog service using “service syslog restart” or “/etc/init.d/syslog restart” .
- Make sure the linux server is listening on syslog port using “netstat -a | grep syslog” or “nmap -sU localhost” command.
- Logs from remote-host will be available in the specified file.
[root@server2 ~]# cat /var/log/syslog-test.log | grep 10.11.131.167 Aug 25 18:28:56 10.11.131.167 : %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Aug 25 18:29:14 10.11.131.167 : %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Vl 10 Aug 25 18:29:15 10.11.131.167 : %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Aug 25 18:39:16 10.11.131.167 : %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user [root@server2 ~]#
- By default, the new log files will be created every week(appended by .0,.1 etc) and four such files will be saved in the disk. Above options can be changed by editing “/etc/logrotate.conf”
[root@server2 ~]# cat /etc/logrotate.conf | grep ^[^#] weekly rotate 4 create
- Configuration on the network device like routers, switches usually involves “logging x.x.x.x” and “logging facility xxxx” command.