Configuring Syslog in Linux

We can configure a Linux host as syslog server to receive all logs from network devices.

Basic information:

  • Syslog server runs on UDP port 514. So, by default all network devices send syslogs with UDP DST port=514. Make sure the services file has this UDP port mapped to syslog.
[root@server2 ~]# cat /etc/services | grep syslog
syslog          514/udp
[root@server2 ~]#
  • Syslog messages can be classified based on severity and facility. The available levels for severity are;

0 – Emergency (emerg)
1 – Alerts (alert)
2 – Critical (crit)
3 – Errors (err)
4 – Warnings (warn)
5 – Notification (notice)
6 – Information (info)
7 – Debug (debug)

Available facilities are;

auth – authentication (login) messages
cron – messages from the memory-resident scheduler
daemon – messages from resident daemons
kern – kernel messages
lpr – printer messages (used by JetDirect cards)
mail – messages from Sendmail
user – messages from user-initiated processes/apps
local0-local7 – user-defined
syslog – messages from the syslog process itself

–By default, network devices send syslogs with facility of “local7” [we may have options to tweak this on network device]. So, syslogs can be represented by “facility.severity”

Procedure: [Tested on RedHat Linux running 3.4.6]

  • Edit “/etc/syslog.conf” file to specify the file where the logs should be saved.
[root@server2 ~]# cat /etc/syslog.conf | grep local7
local7.debug       /var/log/syslog-test.log
  • Edit “/etc/sysconfig/syslog” file to enable the logging from remote host (-r). Add “-r” to syslogd options.
[root@server2 ~]# cat /etc/sysconfig/syslog  | grep ^[^#]
SYSLOGD_OPTIONS="-m 0 -r"
KLOGD_OPTIONS="-x"
[root@server2 ~]#
  • Restart the syslog service using “service syslog restart” or “/etc/init.d/syslog restart” .
  • Make sure the linux server is listening on syslog port using “netstat -a | grep syslog” or “nmap -sU localhost” command.
  • Logs from remote-host will be available in the specified file.
[root@server2 ~]# cat /var/log/syslog-test.log  | grep 10.11.131.167
Aug 25 18:28:56 10.11.131.167  : %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by  console
Aug 25 18:29:14 10.11.131.167  : %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Vl 10
Aug 25 18:29:15 10.11.131.167  : %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by  console
Aug 25 18:39:16 10.11.131.167  : %RPM0-P:CP %SEC-5-LOGOUT: Exec session is terminated for user 
[root@server2 ~]#
  • By default, the new log files will be created every week(appended by .0,.1 etc) and four such files will be saved in the disk. Above options can be changed by editing “/etc/logrotate.conf”
[root@server2 ~]# cat /etc/logrotate.conf  | grep ^[^#]
weekly
rotate 4
create
  • Configuration on the network device like routers, switches usually involves “logging x.x.x.x” and “logging facility xxxx” command.
Advertisements
This entry was posted in Linux and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s