Syslog
Home ] Up ]
 

 

Well, this definitely was an adventure!  My goal was to have my firewall and smtp gateway send ALL of their logging information to a central syslog server.  Doesn't sound to hard, does it?  Well, it wasn't.  The hard part was figuring out how to make all of those logging statements go to files named specific for each host.  The man page for syslog didn't make it exactly clear, but like everything else that I do, trial and error worked best.  And, as usual, I am making notes here for my future reference.  If these notes help you, then so much the better!

First, my two hosts are named LKLDIPFW01 and SMTPGW01.  I reconfigured /etc/syslog.conf on both machines to send their logging information to the remote host.  I did that by adding this command to the file:

*.*            @10.0.0.8

Where '10.0.0.8' is the IP address of my syslog host.  Then I restarted syslogd in order to pick up that change by issuing a HUP to the process, as follows:

#kill -HUP `cat /var/run/syslog.pid`

That is all there is to it!  Configuring the client are easy, it is the server that was a bugger.  First, you need to modify your /etc/rc.conf so that you pass these flags to syslogd upon boot:

syslogd_flags="-a 10.0.0.1/32 -a 10.0.0.2/32"

where 10.0.0.1/32 & 10.0.0.2/32 are the IP addresses of the two clients.  I then had to add the configuration for each host to the /etc/syslog.conf file.  This was the toughest part to figure out.  What I didn't realize until much cussing is that the configuration from each host had to be at the beginning of the file, otherwise, all of the logging went into the hosts' log files, getting all mashed together.  So, here it is:

#
# ---- Logging for SMTPGW01 ---- #
#
+smtpgw01
kern.*;*.alert;*.crit;*.emerg;*.err /var/log/remote_host_logging/smtpgw01/syslog.log
auth.* /var/log/remote_host_logging/smtpgw01/auth.log
security.* /var/log/remote_host_logging/smtpgw01/security.log
daemon.* /var/log/remote_host_logging/smtpgw01/daemon.log
mail.* /var/log/remote_host_logging/smtpgw01/mail.log
cron.* /var/log/remote_host_logging/smtpgw01/cron.log
lpr.* /var/log/remote_host_logging/smtpgw01/lpr.log
local0.* /var/log/remote_host_logging/smtpgw01/local0.log
local1.* /var/log/remote_host_logging/smtpgw01/local1.log
local2.* /var/log/remote_host_logging/smtpgw01/local2.log
local3.* /var/log/remote_host_logging/smtpgw01/local3.log
local4.* /var/log/remote_host_logging/smtpgw01/local4.log
local5.* /var/log/remote_host_logging/smtpgw01/local5.log
local6.* /var/log/remote_host_logging/smtpgw01/local6.log
local7.* /var/log/remote_host_logging/smtpgw01/local7.log
-smtpgw01
#
# ---- Logging for LKLDIPFW01 ---- #
#
+lkldipfw01
kern.*;*.alert;*.crit;*.emerg;*.err /var/log/remote_host_logging/lkldipfw01/syslog.log
auth.* /var/log/remote_host_logging/lkldipfw01/auth.log
security.* /var/log/remote_host_logging/lkldipfw01/security.log
daemon.* /var/log/remote_host_logging/lkldipfw01/daemon.log
mail.* /var/log/remote_host_logging/lkldipfw01/mail.log
cron.* /var/log/remote_host_logging/lkldipfw01/cron.log
lpr.* /var/log/remote_host_logging/lkldipfw01/lpr.log
local0.* /var/log/remote_host_logging/lkldipfw01/local0.log
local1.* /var/log/remote_host_logging/lkldipfw01/local1.log
local2.* /var/log/remote_host_logging/lkldipfw01/local2.log
local3.* /var/log/remote_host_logging/lkldipfw01/local3.log
local4.* /var/log/remote_host_logging/lkldipfw01/local4.log
local5.* /var/log/remote_host_logging/lkldipfw01/local5.log
local6.* /var/log/remote_host_logging/lkldipfw01/local6.log
local7.* /var/log/remote_host_logging/lkldipfw01/local7.log
-lkldipfw01
#
#

Next, I went to each one of the client logging directories and touched all of the new log files, as such:

touch syslog.log
touch auth.log
touch security.log
touch daemon.log
touch mail.log
touch cron.log
touch lpr.log
touch local0.log
touch local1.log
touch local2.log
touch local3.log
touch local4.log
touch local5.log
touch local6.log
touch local7.log

Now, with all of this done, I went to each client and tested the logging capability using the following command:

logger -i -p security.err -t `date`

This should do it, unless I am just lucky. Let me know if you think that I have something screwed up here. Enjoy!

 

 

My name is Michael Oliver, and I can be contacted by email here.
The current time is Sunday, 21-Jan-2018 04:36:29 UTC.
This page was last modified on Friday, 11-Mar-2011 21:01:58 UTC.
This page has received 775 hits since January 24, 2002.