Tuesday, February 22, 2005

Centralizing Syslogs

Simple methods to setup a basic syslog server and start sending logs to it.

Tested with RedHat 7/8/9, Fedora Core 2 and Core 3


Set Up a Syslog Server

Unfortunately the /etc/sysconfig/syslog parameters don't work as I've tested, so manual editing of the /etc/rc.d/init.d/syslog is necessary. Add the "-r" option to the daemon line of the start() function.

/etc/rc.d/init.d/syslog excerpt

[...]
start() {
echo -n $"Starting system logger: "
daemon syslogd -h -r $SYSLOGD_OPTIONS
RETVAL=$?
echo
echo -n $"Starting kernel logger: "
daemon klogd $KLOGD_OPTIONS
echo
$RETVAL -eq 0 && touch /var/lock/subsys/syslog
return $RETVAL
}
[...]

Once edited, save and restart the syslog daemon.

service syslog restart

Check to see if it is listening on UDP port 514.

netstat -an | grep 514

SENDING LINUX CLIENT SYSLOGs TO THE SYSLOG SERVER

Edit the /etc/syslog.conf file to direct the syslog output with the "@" directive. In the example below, note that this syslog is recording both locally and to a remote syslog server. This ensures that the event is recorded locally at the very least if there is a network disruption that prevents communication with the central Syslog server.

/etc/syslog.conf excerpt


[...]

 # Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @10.x.x.x
 # The authpriv file has restricted access.
authpriv.* /var/log/secure
authpriv.* @10.x.x.x

[...]


Once edited, save and restart the syslog daemon.

  service syslog restart 

SENDING WINDOWS CLIENT EVENT LOGS TO THE SYSLOG SERVER

Get NTSyslog from the sourceforge website. http://ntsyslog.sourceforge.net/. Install it, run the GUI control 'NTSyslogCtrl.exe' and direct the machine to the central syslog server.

AUTOMATING DEPLOYMENT

Create a folder called 'ntsyslog'. Extract the ntsyslog-1.13.zip [1] file inside that folder, creating a folder 'ntsyslog-1.13'. Create the following batch and registry files in the 'ntsyslog' folder.

NtSyslogReg

Nt Syslog Reg

REGEDIT4

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet?
"Syslog"="your.server.here"
"syslog1"="your.other.server.here"

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009

NtSyslogBatch

Nt Syslog Batch

@echo off
cmd /c xcopy \\\\ntsyslog-1.13\* c:\ntsyslog\ /Y /S
cmd /c c:\ntsyslog\ntsyslog.exe -install
cmd /c regedit /s \\\\ntsyslog.reg
echo Syslogger will be installed at next reboot.

Resulting tree:

 ntsyslog (shared as \\server\ntsyslog)
|
|-------ntsyslog.reg
|-------install_ntsyslog.bat
|-------nysyslog-1.3
|
|------(NT Syslog files...)

** NOTE FOR WINXP SP2 **
Be sure to enable the NTSYSLOG application in the firewall. Otherwise the log server will receive error messages every second until it is filled (~ 20GB/day).

AUTOMATING DEPLOYMENT FOR WINDOWS 98

Same as above, only use this modified batch script.

NtSyslogBatch98

Nt Syslog Batch 98

@echo off
command /c xcopy \\\\ntsyslog-1.13\* c:\ntsyslog /Y /S
command /c c:\ntsyslog\ntsyslog.exe -install
command /c regedit /s \\\\ntsyslog.reg
echo Syslogger will be installed at next reboot.

No comments: