General:
System logs on Linux (and Unix) systems are typically handled by syslogd, a
daemon whose origins lay in BSD Unix. syslogd receives and processes log
messages, and records the messages in one or more log files. (In more recent
Linux distributions, syslogd is supplemented with klogd for handling kernel
messages separately. For example, FC4 has separate syslogd and klogd daemons
both contained in a package called sysklogd-1.4.1 which is installed by
default for any configuration.)
The configuration file for syslogd is contained in /etc/syslog.conf.
Syslog Components
Syslog Device - sender (anything that generates syslog messages)
Syslog Relay - relay (can be a collector and device also)
syslog server - server / collector
Traditional UNIX syslog uses UDP as the transport protocol, destination port
514 on the receiving host. Modern syslog software can also use TCP for
transport and often has configurable port parameters (syslog-ng). Some simple
syslog mechanisms that by design log to the local system, rely on the local
syslog daemon listening on a network socket for incoming messages. They send
events to localhost port 514/UDP.
Note that this can be as simple as using the popular netcat program from the
UNIX or Windows command line (NT/XP/Win2k[3] usage would be slightly different
at the CMD prompt, but similar):
$ echo "<13>Jan 4 12:12:12 host foo[345]: a syslog message" >/tmp/foo
$ nc -v -u loghost.example.dom 514 < /tmp/foo
To test a syslogd configuration, use the logger command:
logger "this is a test"
logger -p auth.debug "this is a test"
This will create a line like this in your logfiles:
Apr 1 16:08:42 localhost.localdomain logger: this is a test
--------------------------------------------------------------------------------
Debian / Ubuntu Syslog Local / Remote Configuration
To handle the logging on a remote syslog server connection, add the -r option
to the command line that starts syslogd and you're good to go. If you're using
Ubuntu, for example, edit /etc/init.d/sysklogd and change the line that reads:
SYSLOGD="-u syslog"
To read:
SYSLOGD="-r -u syslog"
On Debian edit /etc/init.d/sysklogd:
SYSLOGD="-r"
--------------------------------------------------------------------------------
OpenWRT Remote Syslog (send to Linux host)
nvram set log_ipaddr=192.168.4.251
nvram commit
/etc/init.d/rcS
mkdir /var/log
Logging to a remote syslog server works without the following modification, it
has been observed that without the following, the /var/log/messages file will
not be created:
/etc/inittab
#added for remote syslogd:
::respawn:/sbin/syslogd -n -L -R debian
::respawn:/sbin/klogd -n
Notes:
The /etc/init.d/rcS addition creates the path for the local messages log file,
with OpenWRT RC6, /etc/init.d/S10boot creates this directory with the following
command: mkdir -p /var/log, therefore this addition to rcS is not necessary on
RC6.
--------------------------------------------------------------------------------
syslog-ng (syslog, next generation)
http://www.balabit.hu/en/downloads/syslog-ng/
http://www.campin.net/syslog-ng/faq.html
debian syslog-ng config file to replace stock syslog:
http://www.campin.net/syslog-ng/debian-stock-syslog-ng.conf
Enabling Remote Logging
While it's possible to send log messages from remote clients with good old
syslogd, it's really not adequate because it only transmits UDP packets. So you
need syslog-ng installed on all client hosts as well. Adding these lines to
syslog-ng.conf on the server accepts remote messages from clients and dumps them
into a single file per host:
#syslog-ng.conf remote logging, log file per host configuration
source s_remote { tcp(); udp(); };
destination d_clients { file("/var/log/hosts/$HOST"); };
#destination d_clients { file("/var/log/hosts/$HOST/messages"); };
log { source(s_remote); destination(d_clients); };
This is a very simple, but functional example for your client hosts that collects
all local messages and sends them to the remote server:
#syslog-ng.conf for a remote syslog clients to log to syslogd server
source s_local { internal(); unix-stream("/dev/log"); file("/proc/kmsg" log_prefix("kernel: ")); };
destination d_loghost {tcp("192.168.1.10" port(514));};
log { source(s_local); destination(loghost); };
After editing the syslog-ng.conf file, you must restart syslog-ng service:
/etc/init.d/syslog-ng restart