Setup syslog-ng

General Information

At work we have a few Linux machines that are used for various things like dns and firewalling. It is a pain to log into each one of these machines when you have to troubleshoot something.

Requirements

  1. Local root access on the box or be able to su to root.
  2. A SSH client that supports ANSI colors such as puTTy or SecureCRT (if you aren’t on the box).
  3. Your favorite text editor.

Installation

The syslogd on both FreeBSD and Linux seem to be a little bit limited ( as far as I could figure out ). Let’s start by installing syslog-ng.

# cd /usr/ports/sysutils/syslog-ng
# make install clean

This should create a sample configuration file: /usr/local/etc/syslog-ng/syslog-ng.conf.sample which I typically copy over to be my real config.

# cd /usr/local/etc/syslog-ng/
# cp syslog-ng.conf.sample syslog-ng.conf

Tell the startup scripts that it is okay to start syslog-ng by adding

syslogd_enable=”NO”
syslog_ng_enable=”YES”

to /etc/rc.conf

This will also stop the default syslogd from starting up.

The sample configuration will configure syslog-ng to act just like the old syslogd. All the file locations will be the same in /var/log.

syslog-ng basically has four types of statements (maybe more)

  1. a source(where the logs are coming from)
  2. a destination(where to send the log entry to – they can even be sent to another program!)
  3. a filter(usually used to filter the syslog facility)
  4. the actual log statment(connects the source / filter / destination together)

an example:

source net { udp(); }; # incoming logs from udp port 514
destination messages { file(”/var/log/messages”); }; # Duh, /var/log/messages
filter f_notice { level(notice..emerg); }; # What to allow through
log { source(net); filter(f_notice); destination(messages); }; # Send notices from udp 514 to /var/log/messages

In my configuration I have added a destination for all the remote hosts that report to my loghost.

destination remote {
file(”/var/log/remote/$YEAR/$MONTH/$DAY/$HOST.log”
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
};

This will create a directory and file like /var/log/remote/2006/09/20/hostname.log with all their syslog messages in it.

You can see my entire config here.

On the remote machines I simply add *.* @xxx.xxx.xxx.xxx to /etc/syslog.conf. This will send everything over to the loghost machine.

Now it is time to install splunk, but before you do that there is one more port to install.

# cd /usr/ports/misc/compat5x
# make install clean

The splunk install (splunk-2.0.15-freebsd-installer.bin) wouldn’t work without it.

Now download the FreeBSD splunk installer, make it executable, and run. It will ask you a bunch of questions, too many to explain here. You can find out more information on http://www.splunk.com.

Finally open up the firewall for port 8000, which splunk listens on, and point your browser to loghost:8000.

Good luck

Speak Your Mind

*