LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-12-2009, 12:22 AM   #1
your_shadow03
Senior Member
 
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,461
Blog Entries: 6

Rep: Reputation: 51
Help with Centralized Logging Server?


I have RHEL Machine where I tried to create a Centralized Logging event which I wrote in my own blog http://linuxhunt.blogspot.com/2009/1...d-logging.html


LINUX SERVER
---------------

Code:
 Setup the syslog server 

On the system you want to use as the syslog server, edit the file /etc/sysconf/syslog, and add '-r' as follows: 

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0 -r"

# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"



Code:
root@remy:/root>/etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
root@remy:/root>netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
Now TRy logging into client and make the changes as:

LINUX CLIENT
---------------
For simplicity, I added a line in the /etc/hosts file to add the name 'loghost' to the other names I am using for my logging server. This is actually beneficial - because I can move my syslog server to another host - and I only have to modify the hosts file...

Next, edit the /etc/syslog.conf file. I added 1 simple line to log all informational messages to the remote loghost:
Code:
*.info @loghost
Note: separate all columns with the tab character, not space.

Finally restart syslog on the client with /etc/init.d/syslog restart.

To test, you can use the command line logging facility called logger. On the client I type:
Code:
root@booker:/etc>logger foobar


And on the server I see: 

root@remy:/root>tail -f /var/log/messages
...
Jun 28 21:17:29 booker bemo: foobar
May I know how it gets added to logs on server.
Do Client http logs to server http??

Sendmail(Client) ==> Sendmail(Server) ??
vsftpd (Client) --> VSFTPD (Server) ??

How does Logs queue up in Server Side?
Any Idea?

Last edited by your_shadow03; 10-12-2009 at 12:25 AM.
 
Old 10-12-2009, 12:29 AM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
syslog runs as a service daemon on both systems on the 'well-known' IANA port 514 (udp).
What you did was enable the 2 systems to talk to each other with that port.
If you wanted to stop that cxn, without touching the syslog settings, just adjust the firewall (iptables) to block that port.
HTH
 
Old 10-12-2009, 12:37 AM   #3
your_shadow03
Senior Member
 
Registered: Jun 2008
Location: Germany
Distribution: Slackware
Posts: 1,461
Blog Entries: 6

Original Poster
Rep: Reputation: 51
Thanks Chrism1 for the valuable suggestion..
I need one more info: Say, My Server Machine is busy logging into its own log files, say /var/log/messages.Now if anything related to client happens it will log into server not in its own /var/log/messages file(Correct me if i am wrong!!). How does it add up?
Say if we have 1000 machines all logging to server, how will we know which Machines threw logs..Any specific method to differentiate the logs..??
 
Old 10-12-2009, 12:50 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
If you look here, you'll see you can have 2 (or more) directives for a given msg level, so you can log locally and remotely.
http://linux.die.net/man/5/syslog.conf

According to this example, the central logger should show the src machine in the msgs http://articles.techrepublic.com.com...1-5285872.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is anyone using Samhain with centralized logging? abefroman Linux - Security 6 04-10-2008 01:40 PM
Centralized Looging Server rajaniyer123 Solaris / OpenSolaris 3 07-07-2007 12:28 PM
Centralized logging with syslog-ng jantman SUSE / openSUSE 2 03-30-2007 09:57 PM
Centralized netdump server. datadisk10 Red Hat 1 10-25-2006 09:16 AM
Centralized login server jpbarto Linux - Networking 2 07-03-2003 02:12 PM


All times are GMT -5. The time now is 05:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration