It is really a good idea to have one central logging host for security and performance reason. For example monitoring log files will help you to detect:
* Security risks (you can see failed login attempt, port scan etc) analysis
* Troubleshoot user login problem
* Save disk space
* If hard disk crashed on other hosts old logs will be available from centralized loghost

Linux (and other UNIX like systems) use sysklogd (or syslogd) utility. It is system logging facility. It support of both internet and unix domain sockets enables this utility package to support both local and remote logging from DSL/ADSL router or other hosts in your network.

Prepare syslogd to accept remote logging message

Open file /etc/init.d/sysklogd under Debian Linux to configure syslogd to accept remote message.
# vi /etc/init.d/sysklogd
Locate line SYSLOGD and edit it as follows:
SYSLOGD="-r"
The option (-r) will enable the facility to receive message from the network using an internet domain socket with the syslog service. The default is to not receive any messages from the network.

Save file and exit to shell prompt. Restart the sysklogd:
# /etc/init.d/sysklogd restart

A note about RHEL / CentOS / Fedora Linux User

If you are using Red Hat or Fedora Linux, edit file /etc/sysconfig/syslog:
# vi /etc/sysconfig/syslog
Make changes:
SYSLOGD="-r"
Restart syslogd:
# service syslog restart

Open UDP port 514

If you are, using iptables based firewall, insert following rule to your iptables script to accept connection from your network:

MYNET=192.168.1.0/24
SLSERVER=192.168.1.100

iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

192.168.1.100 is IP address of syslogd server. You need to restrict access to syslogd within your network (192.168.1.0/24) only.

Configure the Router to logging message to a centralized loghost

You can open web configuration interface and type IP address of centralized loghost (192.168.1.100) and port 514. Save configuration and reboot router.

Configure Linux or Unix host to logging message to a centralized loghost

You need to open syslog configuration file /etc/syslog.conf:
# vi /etc/syslog.conf
Setup syslogd to send all important message related to auth to loghost IP 192.168.1.100 (or use FQDN if configured)

*.*;auth,authpriv.none          @192.168.1.100

OR

*.*;auth,authpriv.none          @loghost.mydomain.com.

Restart sysklogd (Debian Linux):
# /etc/init.d/sysklogd restart
OR
Restart syslogd under Red Hat/Fedora / CentOS Linux
# service syslog restart
If required open outgoing UDP 514 port from other hosts:

# SYSLOG outgoing client request
iptables -A OUTPUT -p udp -s 192.168.1.100 --sport 1024:65535 -d 192.168.1.5 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Windows NT/2000/XP/Vista Desktop system

You can force your Windows NT/2000/XP desktop to log all messages to a centralized loghost. However, Windows do not have in build system to log message to remote Unix syslogd server. You can use NTsyslog program, which runs as a service under Windows NT based operating systems. It formats all System, Security, and Application events into a single line and sends them to a syslogd host.

Verify that message are logged in to your /var/log/messages# tail -f /var/log/messages
Output:

Feb 16 02:08:01 router  kernel: klogd started: BusyBox v1.00 (2005.09.22-19:11+0000)
Feb 16 02:08:01 router  kernel: Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Thu Sep 22 15:07:47 EDT 2005
Feb 16 02:08:01 router  kernel: Total Flash size: 2048K with 39 sectors
Feb 16 02:08:01 router  kernel: 96338L-2M-8M prom init
Feb 16 02:08:01 router  kernel: CPU revision is: 00029010
Feb 16 02:08:01 router  kernel: Determined physical RAM map:
Feb 16 02:08:01 router  kernel:  memory: 007a0000 @ 0000000
..........
...
......
Feb 16 02:08:01 router  kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA07E504C
Feb 16 02:08:01 router  kernel: ip_tables: (C) 2000-2002 Netfilter core team
Feb 16 02:08:01 router  kernel: ip_conntrack version 2.1 (61 buckets, 0 max) - 368 bytes
Feb 16 02:08:06 router  pppd[224]: pppd 2.4.1 started by admin, uid 0
Feb 16 02:08:07 router  pppd[224]: PPP: Start to connect ...
Feb 16 02:08:10 router  dnsprobe[272]: dnsprobe started!

Share on Facebook Twitter

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.