Logging to a centralized loghost from Router or other hosts

Posted on in Categories Backup, CentOS, Debian Linux, Howto, Linux, UNIX, Windows server last updated February 16, 2006

It is really a good idea to have one central logging host for security and performance reason. For example monitoring log files will help you to detect:
* Security risks (you can see failed login attempt, port scan etc) analysis
* Troubleshoot user login problem
* Save disk space
* If hard disk crashed on other hosts old logs will be available from centralized loghost

Linux (and other UNIX like systems) use sysklogd (or syslogd) utility. It is system logging facility. It support of both internet and unix domain sockets enables this utility package to support both local and remote logging from DSL/ADSL router or other hosts in your network.

Prepare syslogd to accept remote logging message

Open file /etc/init.d/sysklogd under Debian Linux to configure syslogd to accept remote message.
# vi /etc/init.d/sysklogd
Locate line SYSLOGD and edit it as follows:
SYSLOGD="-r"
The option (-r) will enable the facility to receive message from the network using an internet domain socket with the syslog service. The default is to not receive any messages from the network.

Save file and exit to shell prompt. Restart the sysklogd:
# /etc/init.d/sysklogd restart

A note about RHEL / CentOS / Fedora Linux User

If you are using Red Hat or Fedora Linux, edit file /etc/sysconfig/syslog:
# vi /etc/sysconfig/syslog
Make changes:
SYSLOGD="-r"
Restart syslogd:
# service syslog restart

Open UDP port 514

If you are, using iptables based firewall, insert following rule to your iptables script to accept connection from your network:

MYNET=192.168.1.0/24
SLSERVER=192.168.1.100

iptables -A INPUT -p udp -s $MYNET --sport 1024:65535 -d $SLSERVER --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p udp -s $SLSERVER --sport 514 -d $MYNET --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

192.168.1.100 is IP address of syslogd server. You need to restrict access to syslogd within your network (192.168.1.0/24) only.

Configure the Router to logging message to a centralized loghost

You can open web configuration interface and type IP address of centralized loghost (192.168.1.100) and port 514. Save configuration and reboot router.

Configure Linux or Unix host to logging message to a centralized loghost

You need to open syslog configuration file /etc/syslog.conf:
# vi /etc/syslog.conf
Setup syslogd to send all important message related to auth to loghost IP 192.168.1.100 (or use FQDN if configured)

*.*;auth,authpriv.none          @192.168.1.100

OR

*.*;auth,authpriv.none          @loghost.mydomain.com.

Restart sysklogd (Debian Linux):
# /etc/init.d/sysklogd restart
OR
Restart syslogd under Red Hat/Fedora / CentOS Linux
# service syslog restart
If required open outgoing UDP 514 port from other hosts:

# SYSLOG outgoing client request
iptables -A OUTPUT -p udp -s 192.168.1.100 --sport 1024:65535 -d 192.168.1.5 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 192.168.1.5 --sport 514 -d 192.168.1.100 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Windows NT/2000/XP/Vista Desktop system

You can force your Windows NT/2000/XP desktop to log all messages to a centralized loghost. However, Windows do not have in build system to log message to remote Unix syslogd server. You can use NTsyslog program, which runs as a service under Windows NT based operating systems. It formats all System, Security, and Application events into a single line and sends them to a syslogd host.

Verify that message are logged in to your /var/log/messages# tail -f /var/log/messages
Output:

Feb 16 02:08:01 router  kernel: klogd started: BusyBox v1.00 (2005.09.22-19:11+0000)
Feb 16 02:08:01 router  kernel: Linux version 2.6.8.1 ([email protected]) (gcc version 3.4.2) #1 Thu Sep 22 15:07:47 EDT 2005
Feb 16 02:08:01 router  kernel: Total Flash size: 2048K with 39 sectors
Feb 16 02:08:01 router  kernel: 96338L-2M-8M prom init
Feb 16 02:08:01 router  kernel: CPU revision is: 00029010
Feb 16 02:08:01 router  kernel: Determined physical RAM map:
Feb 16 02:08:01 router  kernel:  memory: 007a0000 @ 0000000
..........
...
......
Feb 16 02:08:01 router  kernel: AdslCoreHwReset: AdslOemDataAddr = 0xA07E504C
Feb 16 02:08:01 router  kernel: ip_tables: (C) 2000-2002 Netfilter core team
Feb 16 02:08:01 router  kernel: ip_conntrack version 2.1 (61 buckets, 0 max) - 368 bytes
Feb 16 02:08:06 router  pppd[224]: pppd 2.4.1 started by admin, uid 0
Feb 16 02:08:07 router  pppd[224]: PPP: Start to connect ...
Feb 16 02:08:10 router  dnsprobe[272]: dnsprobe started!

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on:

5 comment

  1. I am trying to configure a Netgear FVX536 log forwarding to a CentosOS server. The Netgear is configured and shows me logs it is sending. But I get nothing. With Centos 5.2 in /etc/sysconfig/syslog, I added the line “SYSLOGD=”-r” and restarted the syslog service (e.g. service syslog restart). Here is the /etc/sysconfig/syslog file changes:
    ————————————————————————–
    # Options to syslogd
    # -m 0 disables ‘MARK’ messages.
    # -r enables logging from remote machines
    # -x disables DNS lookups on messages recieved with -r
    # See syslogd(8) for more details
    SYSLOGD_OPTIONS=”-m 0″
    SYSLOGD=”-r”
    # Options to klogd
    # -2 prints all kernel oops messages twice; once for klogd to decode, and
    # once for processing with ‘ksymoops’
    # -x disables all klogd processing of oops messages entirely
    # See klogd(8) for more details
    KLOGD_OPTIONS=”-x”
    #
    SYSLOG_UMASK=077
    # set this to a umask value to use for all log files as in umask(1).
    # By default, all permissions are removed for “group” and “other”.
    ——————————————————————————–

    These are the logs I am NOT getting:
    —————————————————————————–
    2009 Sep 10 13:54:50 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
    2009 Sep 10 13:54:50 [FVX538] [login] At line 2527 TTTT at func lloginLogout_
    2009 Sep 10 13:54:50 [FVX538] [login] Logout succeeded for user admin
    2009 Sep 10 13:54:50 [FVX538] [login] Deleting all cookie files with privielge 0
    2009 Sep 10 13:54:52 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
    – Last output repeated twice –
    2009 Sep 10 13:54:52 [FVX538] [login] Deleting all cookie files with privielge 0
    2009 Sep 10 13:54:52 [FVX538] [login] Login succeeded: user admin from 192.168.1.199
    2009 Sep 10 13:54:52 [FVX538] [login] Login succeeded for user admin from 192.168.1.199
    2009 Sep 10 14:23:56 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
    2009 Sep 10 14:23:56 [FVX538] [login] At line 2527 TTTT at func lloginLogout_
    2009 Sep 10 14:23:56 [FVX538] [login] Logout succeeded for user admin
    2009 Sep 10 14:23:56 [FVX538] [login] Deleting all cookie files with privielge 0
    2009 Sep 10 14:23:57 [FVX538] [login] Value TTTTT at change lloginTimeoutGet and value is LOCALDOMAIN_
    – Last output repeated twice –
    2009 Sep 10 14:23:58 [FVX538] [login] Deleting all cookie files with privielge 0
    2009 Sep 10 14:23:58 [FVX538] [login] Login succeeded: user admin from 192.168.1.199
    2009 Sep 10 14:23:58 [FVX538] [login] Login succeeded for user admin from 192.168.1.199

  2. Hey,

    Thanks for the detailed post on central logging. I am sure this will be a great resource for sys-admins, uhhh, fro proactive-sys-admins.

  3. Gr8 !!
    You know why I like your HowTo’s ?
    Coz you explain necessary theory before actually start running the commands.
    U Rock Vivek ๐Ÿ™‚

Comments are closed.

Tagged as: Tags , , , , , , , , ,