Build syslog server in linux for centralized log management


syslog serverStep by step guide to configure syslog server in Linux environment. Learn how to enable remote syslog logging in Linux for centralized log management.

 


In many It infrastructure environment, client choose to have one centralized syslog server in which all logs from remote systems can be collected. It then easier to filter, monitor, verify, report in single location rather than querying all system in infra. In this post we will be seeing how to configure Linux machine to act as a syslog server.

In the configuration there are two parts. First server side configuration to be done on Linux machine which will act as syslog server. Secondly client side configuration to be done on remote system which will be sending logs to syslog server.

Server side configurations:

Machine which will be acting as syslog server should have below pre requisites done :

  1. syslog daemon i.e. syslogd should be up and running
  2. portmap and xinetd services should be running
  3. Targeted client machine’s IP range should be able to reach syslog server over network.

Once you make sure all related services are running, proceed to edit syslogd configuration file i.e. /etc/syslog.conf. You need to add -r option in configuration file which will enable daemon to receive logs from remote machines.

Here you can see row with parameter SYSLOGD_OPTIONS=”-m 0″. This needs to be added with -r option like  SYSLOGD_OPTIONS=”-r -m 0″. 

Edit conf file with text editor like vi and add -r option as stated above. To take up these new changes restart syslog service.

Now your server syslog daemon is ready to accept logs from remote machines. All messages from remote machines and syslog server’s own syslogs will be logged in /var/log/messages on syslog server. Its own messages will be having “localhost” in 2nd field after date and remote machines logs will be having IP/hostname instead of localhost in 2nd field.

It should look like below once it starts populating remote machine’s logs too. First entry beings its own and second one being remote server’s log.


Client side configurations:

In client machine, you need to edit syslog configuration file /etc/syslog.conf. Here you need to instruct syslog daemon to send logs to remote syslog server.

Open /etc/syslog.conf configuration file and append user.* @[ server IP] to end of it. In which server IP is your syslog server IP. If you have mentioned syslog server IP in /etc/hosts of client machine then you can give hostname in above entry instead of IP.

user.* defines the type of log messages to be sent to syslog server. If you want to log all messages to syslog server you can use *.* or you can choose type of logs defined in this config file itself. Read below file and you will get to know different types. Defining *.* is not advisable since it will be flooding logs on syslog server and its storage might get full if you have many machines sending logs to server at a time.

This should look like below. Check last line of file :

After editing conf file, restart syslog daemon to get this new config in action.

You can send test log to check if your setup is working using below command :

This will send a user.info type messages to syslog locally. It will be logged to local /var/log/messages and also gets forwarded to syslog server on mentioned IP. You should see below entries :

This will confirm your syslog server is accepting remote logs perfectly and the machine you configured as client is sending logs to server too!


 

Any thoughts?