Setup syslog-ng

General Information

At work we have a few Linux machines that are used for various things like dns and firewalling. Adidas Superstar ugg australia pas cher nike air huarache soldes chaussures ugg femme new balance running new balance homme It is a pain to log into each one of these machines when you have to troubleshoot something.


  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor.


The syslogd on both FreeBSD and Linux seem to be a little bit limited ( as far as I could figure out ). nike dunk Nike Pour Homme chaussure adidas nike air pegasus ugg pas cher ugg classic mini Let’s start by installing syslog-ng.

 # cd /usr/ports/sysutils/syslog-ng # make install clean 

This should create a sample configuration file: /usr/local/etc/syslog-ng/syslog-ng.conf.sample which I typically copy over to be my real config.

 # cd /usr/local/etc/syslog-ng/ # cp syslog-ng.conf.sample syslog-ng.conf 

Tell the startup scripts that it is okay to start syslog-ng by adding

 syslogd_enable=”NO” syslog_ng_enable=”YES” 

to /etc/rc.conf

This will also stop the default syslogd from starting up.

The sample configuration will configure syslog-ng to act just like the old syslogd. nike air max air max homme nike internationalist nike air max femme air jordan soldes adidas ultra boost All the file locations will be the same in /var/log.

syslog-ng basically has four types of statements (maybe more)

  1. a source(where the logs are coming from)
  2. a destination(where to send the log entry to – they can even be sent to another program!)
  3. a filter(usually used to filter the syslog facility)
  4. the actual log statment(connects the source / filter / destination together)

an example:

source net { udp(); }; # incoming logs from udp port 514 destination messages { file(”/var/log/messages”); }; # Duh, /var/log/messages filter f_notice { level(notice..emerg); }; # What to allow through log { source(net); filter(f_notice); destination(messages); }; # Send notices from udp 514 to /var/log/messages 

In my configuration I have added a destination for all the remote hosts that report to my loghost.

 destination remote { file(”/var/log/remote/$YEAR/$MONTH/$DAY/$HOST.log” owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)); }; 

This will create a directory and file like /var/log/remote/2006/09/20/hostname.log with all their syslog messages in it.

You can see my entire config here.

On the remote machines I simply add *.* to /etc/syslog.conf. nike air max classic bw ugg soldes nike chaussure adidas superstar new balance gris adidas zx flux This will send everything over to the loghost machine.

Now it is time to install splunk, but before you do that there is one more port to install.

 # cd /usr/ports/misc/compat5x # make install clean 

The splunk install (splunk-2.0.15-freebsd-installer.bin) wouldn’t work without it.

Now download the FreeBSD splunk installer, make it executable, and run. Officiel Christian Louboutin nike air huarache adidas superstar ugg pour homme nike roshe run asics gel kinsei 6 It will ask you a bunch of questions, too many to explain here.

Speak Your Mind