1) Setup the syslog serverOn the system you want to use as the syslog server, edit the file /etc/sysconf/syslog, and add '-r' as follows:
- Options to syslogd
- -m 0 disables 'MARK' messages.
- -r enables logging from remote machines
- -x disables DNS lookups on messages recieved with -r
- See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
- Options to klogd
- -2 prints all kernel oops messages twice; once for klogd to decode, and
- once for processing with 'ksymoops'
- -x disables all klogd processing of oops messages entirely
- See klogd(8) for more details
Initially I added -x because I thought it would use networked DNS. But as I am logging all from local servers, all of which are defined in /etc/hosts, it doesn't actually go to the network for name lookup. And, having the name of the system in the log file is nice.
Now, restart syslog, and confirm that syslog is listening on port 514 (the syslog port):
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
root@ajeet:/root>netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
2) Now, configure your client:
For simplicity, I added a line in the /etc/hosts file to add the name 'loghost' to the other names I am using for my logging server. This is actually beneficial - because I can move my syslog server to another host - and I only have to modify the hosts file...
Next, edit the /etc/syslog.conf file. I added 1 simple line to log all informational messages to the remote loghost:
Note: separate all columns with the tab character, not space.
Finally restart syslog on the client with /etc/init.d/syslog restart.
To test, you can use the command line logging facility called logger. On the client I type:
And on the server I see:
root@ajeet:/root>tail -f /var/log/messages
Jun 28 21:17:29 tubxuddy bemo: fooba
Hence, the centralized logging server is Ready !!!