Aug 29, 2008
Centralized Syslog With FreeBSD
It is impossible to manage log files across a large multitude of servers. To assist with this syslog is able to send all messages to a single server. This makes keeping track and filtering much easier. It also reduces the time it takes to check the logs as only one login is needed. In this article only the use of the default syslog server which comes with FreeBSD will be covered. There are other ways of centralizing, viewing, and beautifying logs such as with syslog-ng and php-syslog-ng which will not be covered here.
In this example we'll use a fake environment with only the central syslog server and a single workstation for simplicity. Our small networks syslog server will be fbsd-syslog with an ip of 192.168.0.10 and the workstation will be called fbsd-wrk with an ip of 192.168.0.11.
First we must tell the central server to listen to fbsd-wrk. To do this we must append to /etc/syslog.conf . It is always a good idea to back up the original file to something like /etc/syslog.conf.bak in case things go wrong. Add the following to the end of /etc/syslog.conf on the central server (fbsd-syslog).
!*
+192.168.0.11
*.* /var/log/messages
This is simplicity at it's finest. It allows 192.168.0.11 access to the central server to write any file named *.* to /var/log/messages. By default each install sends logs to different locations. For example, by default FreeBSD has a line showing cron.* /var/log/cron . This sends all log files called cron.* to /var/log/cron. We could separate cron messages from our workstation (fbsd-wrk) by doing the following.
!*
+192.168.0.11
cron.* /var/log/cron.fbsd-wrk
*.* /var/log/messages
There are many more variations and applications other than cron that send messages. Any of these can be sent to a different location as above. A little Googling on the net will produce more details. Continuing with our simple example of receiving all messages and putting them on /var/log/messages, we now need to tell fbsd-wrk to send it's messages to fbsd-syslog. To do this fbsd-wrk must have it's /etc/syslog.conf file modified to read like the following.
*.* @192.168.0.10
That is all that should be present in fbsd-wrk's /etc/syslog.conf file. Now simply restart syslogd on both machines by running the following as root.
# /etc/rc.d/syslogd restart
To verify that this worked log into the central syslog server, fbsd-syslog in our example, and type the following.
# tail -f /var/log/messages
In another terminal log into the workstation, fbsd-wrk in our example, and type the following.
# logger hello world
Our "hello world" message should appear on the `tail` running on the central server. If the syslog server is receiving a lot of log entries, the log files may be turned over too frequently. This can be remedied by changing the "size" column entry in /etc/newsyslog.conf . That's it, enjoy.
Subscribe to:
Posts (Atom)