Logging to a centralized loghost from Router or other hosts

It is really a good idea to have one central logging host for security and performance reason. For example monitoring log files will help you to detect:
* Security risks (you can see failed login attempt, port scan etc) analysis
* Troubleshoot user login problem
* Save disk space
* If hard disk crashed on other hosts old logs will be available from centralized loghost

Linux (and other UNIX like systems) use sysklogd (or syslogd) utility. It is system logging facility. It support of both internet and unix domain sockets enables this utility package to support both local and remote logging from DSL/ADSL router or other hosts in your network.

Prepare syslogd to accept remote logging message

Open file /etc/init.d/sysklogd under Debian Linux to configure syslogd to accept remote message.
# vi /etc/init.d/sysklogd
Locate line SYSLOGD and edit it as follows:
SYSLOGD="-r"
The option (-r) will enable the facility to receive message from the network using an internet domain socket with the syslog service. The default is to not receive any messages from the network.

Save file and exit to shell prompt. Restart the sysklogd:
# /etc/init.d/sysklogd restart

A note about RHEL / CentOS / Fedora Linux User

If you are using Red Hat or Fedora Linux, edit file /etc/sysconfig/syslog:
# vi /etc/sysconfig/syslog
Make changes:
SYSLOGD="-r"
Restart syslogd:
# service syslog restart

Open UDP port 514

If you are, using iptables based firewall, insert following rule to your iptables script to accept connection from your network:

MYNET=192.168.1.0/24
SLSERVER=192.168.1.100

iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

192.168.1.100 is IP address of syslogd server. You need to restrict access to syslogd within your network (192.168.1.0/24) only.

Configure the Router to logging message to a centralized loghost

You can open web configuration interface and type IP address of centralized loghost (192.168.1.100) and port 514. Save configuration and reboot router.

Configure Linux or Unix host to logging message to a centralized loghost

You need to open syslog configuration file /etc/syslog.conf:
# vi /etc/syslog.conf
Setup syslogd to send all important message related to auth to loghost IP 192.168.1.100 (or use FQDN if configured)

*.*;auth,authpriv.none          @192.168.1.100

OR

*.*;auth,authpriv.none          @loghost.mydomain.com.

Restart sysklogd (Debian Linux):
# /etc/init.d/sysklogd restart
OR
Restart syslogd under Red Hat/Fedora / CentOS Linux
# service syslog restart
If required open outgoing UDP 514 port from other hosts:

# SYSLOG outgoing client request
iptables -A OUTPUT -p udp -s 192.168.1.100 --sport 1024:65535 -d 192.168.1.5 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Windows NT/2000/XP/Vista Desktop system

You can force your Windows NT/2000/XP desktop to log all messages to a centralized loghost. However, Windows do not have in build system to log message to remote Unix syslogd server. You can use NTsyslog program, which runs as a service under Windows NT based operating systems. It formats all System, Security, and Application events into a single line and sends them to a syslogd host.

Verify that message are logged in to your /var/log/messages# tail -f /var/log/messages
Output:

Feb 16 02:08:01 router  kernel: klogd started: BusyBox v1.00 (2005.09.22-19:11+0000)
Feb 16 02:08:01 router  kernel: Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Thu Sep 22 15:07:47 EDT 2005
Feb 16 02:08:01 router  kernel: Total Flash size: 2048K with 39 sectors
Feb 16 02:08:01 router  kernel: 96338L-2M-8M prom init
Feb 16 02:08:01 router  kernel: CPU revision is: 00029010
Feb 16 02:08:01 router  kernel: Determined physical RAM map:
Feb 16 02:08:01 router  kernel:  memory: 007a0000 @ 0000000
..........
...
......
Feb 16 02:08:01 router  kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA07E504C
Feb 16 02:08:01 router  kernel: ip_tables: (C) 2000-2002 Netfilter core team
Feb 16 02:08:01 router  kernel: ip_conntrack version 2.1 (61 buckets, 0 max) - 368 bytes
Feb 16 02:08:06 router  pppd[224]: pppd 2.4.1 started by admin, uid 0
Feb 16 02:08:07 router  pppd[224]: PPP: Start to connect ...
Feb 16 02:08:10 router  dnsprobe[272]: dnsprobe started!

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 5 comments so far... add one ↓

Related Posts

• Execute commands on multiple hosts using expect tool
• Testing Connectivity with fping and send mail if any…
• Send ICMP Nasty Garbage Packets to Network Hosts…
• Hacking Linksys router: WRT54GL DIY Internal POE
• How to configure cisco router using linux for (COM…
• How to setup Linux as a router for DSL, T1 line etc
• Howto Setup Linux as router for ppp dial up…
• Solaris: How do I setup a default static route /…

Category	List of Unix and Linux commands
Disk space analyzers	df • ncdu • pydf
File Management	cat • tree
Firewall	Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04
Network Utilities	NetHogs • dig • host • ip • nmap
OpenVPN	CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04
Package Manager	apk • apt
Processes Management	bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time
Searching	grep • whereis • which
User Information	groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w
WireGuard VPN	Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04