Simple methods to setup a basic syslog server and start sending logs to it.
Tested with RedHat 7/8/9, Fedora Core 2 and Core 3
Set Up a Syslog Server
Unfortunately the /etc/sysconfig/syslog parameters don't work as I've tested, so manual editing of the /etc/rc.d/init.d/syslog is necessary. Add the "-r" option to the daemon line of the start() function.
/etc/rc.d/init.d/syslog excerpt
[...]
start() {
echo -n $"Starting system logger: "
daemon syslogd -h -r $SYSLOGD_OPTIONS
RETVAL=$?
echo
echo -n $"Starting kernel logger: "
daemon klogd $KLOGD_OPTIONS
echo
$RETVAL -eq 0 && touch /var/lock/subsys/syslog
return $RETVAL
}
[...]
Once edited, save and restart the syslog daemon.
service syslog restart
Check to see if it is listening on UDP port 514.
netstat -an | grep 514
SENDING LINUX CLIENT SYSLOGs TO THE SYSLOG SERVER
Edit the /etc/syslog.conf file to direct the syslog output with the "@" directive. In the example below, note that this syslog is recording both locally and to a remote syslog server. This ensures that the event is recorded locally at the very least if there is a network disruption that prevents communication with the central Syslog server.
/etc/syslog.conf excerpt
[...]
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
*.info;mail.none;authpriv.none;cron.none @10.x.x.x
# The authpriv file has restricted access.
authpriv.* /var/log/secure
authpriv.* @10.x.x.x
[...]
Once edited, save and restart the syslog daemon.
service syslog restart
SENDING WINDOWS CLIENT EVENT LOGS TO THE SYSLOG SERVER
Get NTSyslog from the sourceforge website. http://ntsyslog.sourceforge.net/. Install it, run the GUI control 'NTSyslogCtrl.exe' and direct the machine to the central syslog server.
AUTOMATING DEPLOYMENT
Create a folder called 'ntsyslog'. Extract the ntsyslog-1.13.zip [1] file inside that folder, creating a folder 'ntsyslog-1.13'. Create the following batch and registry files in the 'ntsyslog' folder.
Nt Syslog Reg
REGEDIT4
HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet?
"Syslog"="your.server.here"
"syslog1"="your.other.server.here"
HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009
HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009
HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security?
"Information"=dword:00000000
"Information Priority"=dword:00000009
"Warning"=dword:00000001
"Warning Priority"=dword:00000009
"Error"=dword:00000001
"Error Priority"=dword:00000009
"Audit Success"=dword:00000000
"Audit Success Priority"=dword:00000009
"Audit Failure"=dword:00000001
"Audit Failure Priority"=dword:00000009
Nt Syslog Batch
@echo off
cmd /c xcopy \\
cmd /c c:\ntsyslog\ntsyslog.exe -install
cmd /c regedit /s \\
echo Syslogger will be installed at next reboot.
Resulting tree:
ntsyslog (shared as \\server\ntsyslog)
|
|-------ntsyslog.reg
|-------install_ntsyslog.bat
|-------nysyslog-1.3
|
|------(NT Syslog files...)
** NOTE FOR WINXP SP2 **
Be sure to enable the NTSYSLOG application in the firewall. Otherwise the log server will receive error messages every second until it is filled (~ 20GB/day).
AUTOMATING DEPLOYMENT FOR WINDOWS 98
Same as above, only use this modified batch script.
Nt Syslog Batch 98
@echo off
command /c xcopy \\
command /c c:\ntsyslog\ntsyslog.exe -install
command /c regedit /s \\
echo Syslogger will be installed at next reboot.
No comments:
Post a Comment