Novell Home

Centralized Syslogging with Syslog-NG on SUSE Linux

Novell Cool Solutions: Feature
By Scott Flowers

Digg This - Slashdot This

Posted: 2 Nov 2006
 

Introduction

A key aspect of management of network servers and devices is regular review of log messages. Log messages can also be used forensically to troubleshoot network problems. On many types of systems including Linux and UNIX servers and various other networking devices like switches and routers, system message logging follows a standardized format known as syslog messages. One way to improve IT management and administration is to centralize syslog messages from all the diverse devices on a corporate network onto a single syslog server or loghost. Centralization allows the use of automated log analysis tools to alert and search for specific message types, improving the tools available to system administrators to manage networks. This paper describes how to configure a SUSE Linux Enterprise Server 9 or OES Linux server to act as a simple centralized loghost, and how to configure SLES servers and desktops to log system messages to that host over the network.

Syslog-NG

Syslog-NG is the next generation of syslog, the logger that has been part of UNIX and Linux for many years. It is designed to allow flexible logging of system messages from various systems to different formats, including text files, databases, email messages and more. It also has sophisticated filtering mechanisms which allow different system messages for a given host to be routed to different logging mechanisms depending on type or severity. For example, messages with a low severity could be logged to file, while messages with higher severity could be logged to file and emailed to the sysadmin's mobile phone for immediate action. Syslog-NG comes with SLES 9 and NLD 9 as an alternative to the default, which is the old BSD-based syslogd. On SLES and SLED 10, Syslog-NG is the default system logger.

Configuring Syslog-NG on SLES 9

Enabling Syslog-NG

Note: If you are using SLES 10, Syslog-NG is already enabled and this step is unnecessary.

By default SLES 9 uses syslogd, not Syslog-NG. The first step required in building a loghost on SLES 9 is to enable Syslog-NG. To do this, you must first stop syslogd by running /etc/init.d/syslogd stop in a terminal. Next, enable syslog-NG by editing the file /etc/sysconfig/syslog. Find this line:

SYSLOG_DAEMON="syslogd"

and replace it with this:

SYSLOG_DAEMON="syslog-ng"

Save the file and run SuSEconfig --module syslog-ng to update the system's syslog configuration.

Configuring Loghost to Receive Log Messages

By default Syslog-NG is configured only to log messages from the host it is running on. If you want a centralized loghost, you must enable Syslog-NG to receive log messages from over the network. In this article, we will leave the existing configuration of Syslog-NG in place, so what we are doing won't change the logging that is already setup on the host. However, we will add the ability to log hosts over the network, so additional logging will come in from other hosts.

To enable Syslog-NG to receive syslog messages from network devices, you have to edit /etc/syslog-ng/syslog-ng.in and add some settings. The file is divided into sections called source, destination, filter and log. On a standard SLES 9 installation, there are some lines in the source section of that file that look like this:

#
# uncomment to process log messages from network:
#
# udp(port(514));

To enable network access to the server, assuming your loghost is located at 192.168.1.42, change these lines to look like this:

#
# uncomment to process log messages from network:
#
udp(port(514));
tcp(ip("192.168.1.42") port(5140) keep-alive(yes));

Notice that the pound sign in front of the UDP line has been removed, and the tcp line has been added.

Next, a destination must be defined for network log messages, and a log statement must be included to tell Syslog-NG how to use the destination. Go to the bottom of the file, add a new line, and then add the following lines.

# this is for separating out network hosts into individual log files.
destination std {
        file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
                owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(y\es)
        );
};
log {
        source(src);
        destination(std);
};

This sample configuration will save log messages from each host in a separate directory called /var/log/HOSTS/YEAR-MONTH/hostname/. The messages will be split into logfiles based on the facility. The standard facilities are auth, authpriv (for security information of a sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security (deprecated synonym for auth), syslog, user, uucp, and local0 to local7 (from the logger man page).

Once the lines have been added, save the file and then run SuSEconfig --module syslog-ng again to make the configuration changes take effect. Then, run /etc/init.d/syslogd start to start Syslog-NG. The loghost is now ready to accept log messages from the network.

Configuring Logging to the Loghost from Network Servers

Now that the loghost is ready to receive log messages from hosts on the network, you have to configure your hosts to send messages to it. If the hosts are based on SLES 9 or OES Linux, you have to follow the steps outlined above to enable Syslog-NG by editing /etc/sysconfig/syslog and then running SuSEconfig. Don't forget to stop syslogd first by running /etc/init.d/syslogd stop.

Then, you have to edit /etc/syslog-ng/syslog-ng.conf.in to tell the host to send messages to the syslog server. Open the /etc/syslog-ng/syslog-ng.conf.in file and go to the bottom of the file. Assuming your loghost is located at the ip address 192.168.1.42, add the following lines:

# send everything to log host
destination loghost {
    tcp("192.168.1.42" port(5140));
};
log {
    source(src);
    destination(loghost);
};

After making the changes, save the file and run SuSEconfig --module syslog-ng, and then restart syslogd by running /etc/init.d/syslogd start. Now your host should be configured to send all log messages to your log host.

You can test to see that it works by using the command-line utility logger, which sends messages to the syslogd service. Logger is also a great way to have your shell scripts or cron scripts send status messages to the system log. To test to see if your server is configured to send log messages to your loghost, run the following command.

logger user.warn this is a test logger message that should go to my loghost

Navigate the directories on your loghost to the /var/log/HOSTS/YEAR-MONTH/ directory. You should see a directory for your host. It will either be a hostname or an IP address, depending upon whether reverse-lookup works in your DNS environment. Inside that directory, you should find a log file starting with user that contains your user.warn message.

What's Next?

Now that you have your log files being accumulated on a single log host, you can start doing all kinds of fun stuff with the logs. You can reconfigure your loghost to also add the messages to a MySQL database, or you can implement a tool called swatch that watches your log files for particular messages and alerts you about them, or even use swatch to kick off automated responses to particular log messages. You can also install a tool like Splunk, which allows you to search your logs like google searches the web.

References


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell