Centralized Syslog Configuration

Contents

  1. Centralized Syslog Configuration
    1. Syslog Server Configuration
      1. Linux Syslog
      2. Swatch Configuration
    2. Syslog Client Configuration
      1. Linux Box
      2. Foundry Switch

Syslog Server Configuration

It's generally a good idea to have all hosts send their syslogs to a central server where it's easy to cordinate monitoring of them. Typically setting up the centralized server to log everything to a single file makes configuring tools like swatch even easier. I typically use /var/log/all.log as the catch everything log file, and then use swatch to log that.

Linux Syslog

Configure syslogd to log everything to one file by adding these lines to the end of =/etc/syslog.conf= (note you must use tabs not spaces): 

# Redirect all logs to all.log for swatcher. 
*.*                     /var/log/all.log

You also have to configure syslog to accept syslog messages from other hosts (which is disabled for security reasons) do this by adding the "-r" switch to syslogd. The best way to do this is by editing /etc/sysconfig/syslog and adding this line: 

SYSLOGD_OPTIONS="-r -m 0"

Remember to restart syslog.

Swatch Configuration

Swatch is a Perl script which can be [downloaded here], it watches log files for certain regular expressions and then performs an action when it see a match. Read the swatch man page for details on configuring the /etc/swatchrc file. 

# Test rule to make sure it's all working 
watchfor /swatch test rule/
mail addresses=ashand,subject="[swatch]: test rule match" 
throttle 1:0:0,use=regex

Make sure swatch starts up at boot, a normal chkconfig/init.d setup is fine. Here are the recommended options to start swatch with: 

--daemon --config-file /etc/swatchrc --restart-time=00:00 --tail-file=/var/log/all.log

Syslog Client Configuration

Linux Box

You have to configure your linux boxes to send their syslog data to the remote host. The easiest way to do this is to redirect everything to the central syslog server, however you can be more selective if you choose. To send everything add this line to your /etc/syslog.conf and restart syslog: 

# Send all log messages to loghost.domain.com 
*.*                     @loghost.domain.com

Foundry Switch

You can configure a Foundry switch to send it's logs to a syslog server. Fortunately you can use a hostname for the server name, unfortunately it just does a lookup on the name and saves the IP in the config file. 

telnet@foundry>en 
Password:
telnet@foundry#conf t
telnet@foundry(config)#logging loghost.domain.com
Translating host loghost.domain.com ....
Type Control-c to abort
Sending DNS Query to 192.168.1.2
SYSLOG server address 192.168.1.10 resolved
telnet@bigsteel(config)#exit
telnet@bigsteel#write mem
.Write startup-config in progress.
.Write startup-config done.
Sync config data in flash...Done

CategorySoftware

CentralizedSyslog (last edited 2003-09-11 06:02:13 by AdamShand)