Monday 22 April 2013

Syslog-ng server recording remote syslog streams

Just a quick how-to for capturing remote syslog streams on Gentoo using syslog-ng

1) Backup your current configuration:
cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.backup

2) Modify the existing configuration file to accept any and all syslogs directed at the system (note: not exactly 'organized', but useful for a quick replication):

Paste the following above 'source src {' - modify tcp port/max-connections if required:
source s_syslog { unix-stream("/dev/log");
        udp();
        tcp(ip(0.0.0.0) port(5000) max-connections(300));
        pipe("/proc/kmsg");
        };

destination d_syslog { file("/var/log/remote-syslog"); };
log { source(s_syslog); destination(d_syslog); };
3) Restart syslog-ng via openrc (or systemd, whatever you're using). Ignore the pipe/FIFO errors:
 # /etc/init.d/syslog-ng restart
 * Stopping syslog-ng ...
[ ok ]
 * Starting syslog-ng ...
[ ok ]
4) Check to see that your new syslogs are being recorded to /var/log/remote-syslog:
# tail -f /var/log/remote-syslog
Apr 22 15:10:10 NiXToP syslog-ng[8878]: syslog-ng starting up; version='3.3.5'
Apr 23 02:40:52 192.168.0.211 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/44870->172.19.1.2/443 junos-https 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No
Apr 23 02:40:56 192.168.0.211 RT_FLOW: RT_FLOW_SESSION_DENY: session denied 192.168.0.10/46526->172.19.1.2/80 junos-http 6(0) global_drop_all(global) Trust Trust UNKNOWN UNKNOWN N/A(N/A) fe-0/0/6.0 No 
For future reference:
# uname -r && syslog-ng -V | head -n 1
3.8.6-gentoo
syslog-ng 3.3.5

2 comments:

  1. how can we create multiple text files containing syslog messages coming to syslog-ng server. i want to create multiple syslog messages text files after every 1hour or when a certain size limit reach.

    ReplyDelete