[레드헷 리눅스 원격 로그 서버 만들기]

1) Configuration of both log server and log client:

Check if there is an entry in /etc/services regarding port 514 (default for syslog).

grep 514 /etc/services

syslog 514/udp

Enable communication on this port by setting proper rule on firewall:

-A RH-Firewall-1-INPUT -p udp –dport 514 -j ACCEPT

Syslog by default is not configured to send logs to remote hosts or receive them from network. You have to change startup options in /etc/sysconfig/syslog by adding ‘-r’ to SYSLOG_OPTS.

Now we are prepared to configure syslog! Configuration is stored in /etc/syslog.conf . Entries are different on log server and log client.

2) Configuration of log server:

You have to provide information about log client and destination where logs from client will be written. To do this you have to add two lines to the /etc/syslog.conf:

+LOG_CLIENT
log_source.log_type log_file

where:

• LOG_CLIENT could be hostname or IP adress. If you are using hostname it have to be resolved by DNS or written in /etc/hosts.
• log_source.log_type – here you can specify subsystems from which information will be logged and message types. Here are a few examples: user.notice -> information from users; kernel.warn -> warnings from kernel; *.* -> all messages from all subsystems.
• log_file – logs will be written here.

Example:

+log_client
user.* /var/log/log_client.log

In above example logs from user subsystem from host ‘log_client‘ will be written in /var/log/log_client.log

3) Configuration of log client:

In /etc/syslog.conf you have to specify which logs will be copied on log server:

log_source.log_type @LOG_SERVER

where:

• log_source.log_type – here you can specify subsystems from which information will be logged and message types. Here are a few examples: user.notice -> information from users; kernel.warn -> warnings from kernel; *.* -> all messages from all subsystems.
• LOG_SERVER could be hostname or IP adress. If you are using hostname it have to be resolved by DNS or written in /etc/hosts.

Example:

user.* @log_server

In above example logs from user subsystem will be sent to ‘log_server’ host.

Remember to restart syslog service after making any changes in /etc/syslog.conf!

service syslog restart