LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Help with Centralized Logging Server? (https://www.linuxquestions.org/questions/linux-newbie-8/help-with-centralized-logging-server-761263/)

your_shadow03 10-11-2009 11:22 PM
Help with Centralized Logging Server?
 
I have RHEL Machine where I tried to create a Centralized Logging event which I wrote in my own blog http://linuxhunt.blogspot.com/2009/1...d-logging.html


LINUX SERVER
---------------

Code:

 Setup the syslog server

On the system you want to use as the syslog server, edit the file /etc/sysconf/syslog, and add '-r' as follows:

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details

SYSLOGD_OPTIONS="-m 0 -r"

# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"



Code:
root@remy:/root>/etc/init.d/syslog restart
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
root@remy:/root>netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
Now TRy logging into client and make the changes as:

LINUX CLIENT
---------------
For simplicity, I added a line in the /etc/hosts file to add the name 'loghost' to the other names I am using for my logging server. This is actually beneficial - because I can move my syslog server to another host - and I only have to modify the hosts file...

Next, edit the /etc/syslog.conf file. I added 1 simple line to log all informational messages to the remote loghost:
Code:
*.info @loghost
Note: separate all columns with the tab character, not space.

Finally restart syslog on the client with /etc/init.d/syslog restart.

To test, you can use the command line logging facility called logger. On the client I type:
Code:
root@booker:/etc>logger foobar


And on the server I see:

root@remy:/root>tail -f /var/log/messages
...
Jun 28 21:17:29 booker bemo: foobar
May I know how it gets added to logs on server.
Do Client http logs to server http??

Sendmail(Client) ==> Sendmail(Server) ??
vsftpd (Client) --> VSFTPD (Server) ??

How does Logs queue up in Server Side?
Any Idea?

chrism01 10-11-2009 11:29 PM
syslog runs as a service daemon on both systems on the 'well-known' IANA port 514 (udp).
What you did was enable the 2 systems to talk to each other with that port.
If you wanted to stop that cxn, without touching the syslog settings, just adjust the firewall (iptables) to block that port.
HTH

your_shadow03 10-11-2009 11:37 PM
Thanks Chrism1 for the valuable suggestion..
I need one more info: Say, My Server Machine is busy logging into its own log files, say /var/log/messages.Now if anything related to client happens it will log into server not in its own /var/log/messages file(Correct me if i am wrong!!). How does it add up?
Say if we have 1000 machines all logging to server, how will we know which Machines threw logs..Any specific method to differentiate the logs..??

chrism01 10-11-2009 11:50 PM
If you look here, you'll see you can have 2 (or more) directives for a given msg level, so you can log locally and remotely.
http://linux.die.net/man/5/syslog.conf

According to this example, the central logger should show the src machine in the msgs http://articles.techrepublic.com.com...1-5285872.html


All times are GMT -5. The time now is 12:18 AM.