It is really a good idea to have one central logging host for security and performance reason. For example monitoring log files will help you to detect:
* Security risks (you can see failed login attempt, port scan etc) analysis
* Troubleshoot user login problem
* Save disk space
* If hard disk crashed on other hosts old logs will be available from centralized loghost
Linux (and other UNIX like systems) use sysklogd (or syslogd) utility. It is system logging facility. It support of both internet and unix domain sockets enables this utility package to support both local and remote logging from DSL/ADSL router or other hosts in your network.
Prepare syslogd to accept remote logging message
Open file /etc/init.d/sysklogd under Debian Linux to configure syslogd to accept remote message.
# vi /etc/init.d/sysklogd
Locate line SYSLOGD and edit it as follows:
SYSLOGD="-r"
The option (-r) will enable the facility to receive message from the network using an internet domain socket with the syslog service. The default is to not receive any messages from the network.
Save file and exit to shell prompt. Restart the sysklogd:
# /etc/init.d/sysklogd restart
A note about RHEL / CentOS / Fedora Linux User
If you are using Red Hat or Fedora Linux, edit file /etc/sysconfig/syslog:
# vi /etc/sysconfig/syslog
Make changes:
SYSLOGD="-r"
Restart syslogd:
# service syslog restart
Open UDP port 514
If you are, using iptables based firewall, insert following rule to your iptables script to accept connection from your network:
MYNET=192.168.1.0/24 SLSERVER=192.168.1.100 iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
192.168.1.100 is IP address of syslogd server. You need to restrict access to syslogd within your network (192.168.1.0/24) only.
Configure the Router to logging message to a centralized loghost
You can open web configuration interface and type IP address of centralized loghost (192.168.1.100) and port 514. Save configuration and reboot router.
Configure Linux or Unix host to logging message to a centralized loghost
You need to open syslog configuration file /etc/syslog.conf:
# vi /etc/syslog.conf
Setup syslogd to send all important message related to auth to loghost IP 192.168.1.100 (or use FQDN if configured)
*.*;auth,authpriv.none @192.168.1.100
OR
*.*;auth,authpriv.none @loghost.mydomain.com.
Restart sysklogd (Debian Linux):
# /etc/init.d/sysklogd restart
OR
Restart syslogd under Red Hat/Fedora / CentOS Linux
# service syslog restart
If required open outgoing UDP 514 port from other hosts:
# SYSLOG outgoing client request iptables -A OUTPUT -p udp -s 192.168.1.100 --sport 1024:65535 -d 192.168.1.5 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Windows NT/2000/XP/Vista Desktop system
You can force your Windows NT/2000/XP desktop to log all messages to a centralized loghost. However, Windows do not have in build system to log message to remote Unix syslogd server. You can use NTsyslog program, which runs as a service under Windows NT based operating systems. It formats all System, Security, and Application events into a single line and sends them to a syslogd host.
Verify that message are logged in to your /var/log/messages# tail -f /var/log/messages
Output:Feb 16 02:08:01 router kernel: klogd started: BusyBox v1.00 (2005.09.22-19:11+0000)
Feb 16 02:08:01 router kernel: Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Thu Sep 22 15:07:47 EDT 2005
Feb 16 02:08:01 router kernel: Total Flash size: 2048K with 39 sectors
Feb 16 02:08:01 router kernel: 96338L-2M-8M prom init
Feb 16 02:08:01 router kernel: CPU revision is: 00029010
Feb 16 02:08:01 router kernel: Determined physical RAM map:
Feb 16 02:08:01 router kernel: memory: 007a0000 @ 0000000
..........
...
......
Feb 16 02:08:01 router kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA07E504C
Feb 16 02:08:01 router kernel: ip_tables: (C) 2000-2002 Netfilter core team
Feb 16 02:08:01 router kernel: ip_conntrack version 2.1 (61 buckets, 0 max) - 368 bytes
Feb 16 02:08:06 router pppd[224]: pppd 2.4.1 started by admin, uid 0
Feb 16 02:08:07 router pppd[224]: PPP: Start to connect ...
Feb 16 02:08:10 router dnsprobe[272]: dnsprobe started!
5 comment
I am trying to configure a Netgear FVX536 log forwarding to a CentosOS server. The Netgear is configured and shows me logs it is sending. But I get nothing. With Centos 5.2 in /etc/sysconfig/syslog, I added the line “SYSLOGD=”-r” and restarted the syslog service (e.g. service syslog restart). Here is the /etc/sysconfig/syslog file changes:
————————————————————————–
# Options to syslogd
# -m 0 disables ‘MARK’ messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS=”-m 0″
SYSLOGD=”-r”
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with ‘ksymoops’
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS=”-x”
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for “group” and “other”.
——————————————————————————–
These are the logs I am NOT getting:
—————————————————————————–
2009 Sep 10 13:54:50 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
2009 Sep 10 13:54:50 [FVX538] [login] At line 2527 TTTT at func lloginLogout_
2009 Sep 10 13:54:50 [FVX538] [login] Logout succeeded for user admin
2009 Sep 10 13:54:50 [FVX538] [login] Deleting all cookie files with privielge 0
2009 Sep 10 13:54:52 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
– Last output repeated twice –
2009 Sep 10 13:54:52 [FVX538] [login] Deleting all cookie files with privielge 0
2009 Sep 10 13:54:52 [FVX538] [login] Login succeeded: user admin from 192.168.1.199
2009 Sep 10 13:54:52 [FVX538] [login] Login succeeded for user admin from 192.168.1.199
2009 Sep 10 14:23:56 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
2009 Sep 10 14:23:56 [FVX538] [login] At line 2527 TTTT at func lloginLogout_
2009 Sep 10 14:23:56 [FVX538] [login] Logout succeeded for user admin
2009 Sep 10 14:23:56 [FVX538] [login] Deleting all cookie files with privielge 0
2009 Sep 10 14:23:57 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
– Last output repeated twice –
2009 Sep 10 14:23:58 [FVX538] [login] Deleting all cookie files with privielge 0
2009 Sep 10 14:23:58 [FVX538] [login] Login succeeded: user admin from 192.168.1.199
2009 Sep 10 14:23:58 [FVX538] [login] Login succeeded for user admin from 192.168.1.199
Hey,
Thanks for the detailed post on central logging. I am sure this will be a great resource for sys-admins, uhhh, fro proactive-sys-admins.
Gr8 !!
You know why I like your HowTo’s ?
Coz you explain necessary theory before actually start running the commands.
U Rock Vivek 🙂
Please document how to, in syslog.conf, direct syslog messages from different hosts, eg. routers, to separate files.
Alan Beard, look at syslog-ng for this functionality.