Well, this definitely was an adventure! My goal was to have my firewall and smtp gateway send ALL of their logging information to a central syslog server. Doesn't sound to hard, does it? Well, it wasn't. The hard part was figuring out how to make all of those logging statements go to files named specific for each host. The man page for syslog didn't make it exactly clear, but like everything else that I do, trial and error worked best. And, as usual, I am making notes here for my future reference. If these notes help you, then so much the better!
First, my two hosts are named LKLDIPFW01 and SMTPGW01. I reconfigured /etc/syslog.conf on both machines to send their logging information to the remote host. I did that by adding this command to the file:
Where '10.0.0.8' is the IP address of my syslog host. Then I restarted syslogd in order to pick up that change by issuing a HUP to the process, as follows:
#kill -HUP `cat /var/run/syslog.pid`
That is all there is to it! Configuring the client are easy, it is the server that was a bugger. First, you need to modify your /etc/rc.conf so that you pass these flags to syslogd upon boot:
syslogd_flags="-a 10.0.0.1/32 -a 10.0.0.2/32"
where 10.0.0.1/32 & 10.0.0.2/32 are the IP addresses of the two clients. I then had to add the configuration for each host to the /etc/syslog.conf file. This was the toughest part to figure out. What I didn't realize until much cussing is that the configuration from each host had to be at the beginning of the file, otherwise, all of the logging went into the hosts' log files, getting all mashed together. So, here it is:
# # ---- Logging for SMTPGW01 ---- # # +smtpgw01 kern.*;*.alert;*.crit;*.emerg;*.err /var/log/remote_host_logging/smtpgw01/syslog.log auth.* /var/log/remote_host_logging/smtpgw01/auth.log security.* /var/log/remote_host_logging/smtpgw01/security.log daemon.* /var/log/remote_host_logging/smtpgw01/daemon.log mail.* /var/log/remote_host_logging/smtpgw01/mail.log cron.* /var/log/remote_host_logging/smtpgw01/cron.log lpr.* /var/log/remote_host_logging/smtpgw01/lpr.log local0.* /var/log/remote_host_logging/smtpgw01/local0.log local1.* /var/log/remote_host_logging/smtpgw01/local1.log local2.* /var/log/remote_host_logging/smtpgw01/local2.log local3.* /var/log/remote_host_logging/smtpgw01/local3.log local4.* /var/log/remote_host_logging/smtpgw01/local4.log local5.* /var/log/remote_host_logging/smtpgw01/local5.log local6.* /var/log/remote_host_logging/smtpgw01/local6.log local7.* /var/log/remote_host_logging/smtpgw01/local7.log -smtpgw01 # # ---- Logging for LKLDIPFW01 ---- # # +lkldipfw01 kern.*;*.alert;*.crit;*.emerg;*.err /var/log/remote_host_logging/lkldipfw01/syslog.log auth.* /var/log/remote_host_logging/lkldipfw01/auth.log security.* /var/log/remote_host_logging/lkldipfw01/security.log daemon.* /var/log/remote_host_logging/lkldipfw01/daemon.log mail.* /var/log/remote_host_logging/lkldipfw01/mail.log cron.* /var/log/remote_host_logging/lkldipfw01/cron.log lpr.* /var/log/remote_host_logging/lkldipfw01/lpr.log local0.* /var/log/remote_host_logging/lkldipfw01/local0.log local1.* /var/log/remote_host_logging/lkldipfw01/local1.log local2.* /var/log/remote_host_logging/lkldipfw01/local2.log local3.* /var/log/remote_host_logging/lkldipfw01/local3.log local4.* /var/log/remote_host_logging/lkldipfw01/local4.log local5.* /var/log/remote_host_logging/lkldipfw01/local5.log local6.* /var/log/remote_host_logging/lkldipfw01/local6.log local7.* /var/log/remote_host_logging/lkldipfw01/local7.log -lkldipfw01 # #
Next, I went to each one of the client logging directories and touched all of the new log files, as such:
touch syslog.log touch auth.log touch security.log touch daemon.log touch mail.log touch cron.log touch lpr.log touch local0.log touch local1.log touch local2.log touch local3.log touch local4.log touch local5.log touch local6.log touch local7.log
Now, with all of this done, I went to each client and tested the logging capability using the following command:
logger -i -p security.err -t `date`
This should do it, unless I am just lucky. Let me know if you think that I have something screwed up here. Enjoy!
My name is Michael Oliver, and I
can be contacted by email here.