Step By Step Configuration of syslog server
An important part of maintaining a secure system is keeping track of the activities that take place on the system. If you know what usually happens, such as understanding when users log into your system, you can use log files to spot unusual activity. You can configure what syslogd records through the /etc/syslog.conf configuration file.
The syslogd daemon manages all the logs on your system and coordinates with any of the logging operations of other systems on your network. Configuration information for syslogd is held in the /etc/syslog.conf file, which contains the names and locations for your system log files.
By Default system accept the logs only generated from local host. In this example we will configure a log server and will accept logs from client side.
For this example we are using two systems one linux server one linux clients . To complete these per quest of log server Follow this link
basic network configurations Example and Implementations ip configurations hosts files portmap xinetd services
To keep on these services after reboot on then via chkconfig command
After reboot verify their status. It must be in running condition
Now open the /etc/sysconfig/syslog file
and locate SYSLOGD_OPTIONS tag
add -r option in this tag to accepts logs from clients
On Linux client ping from log server and open /etc/syslog.conf file
Now go to the end of file and do entry for serve as user.* @ [ server IP] as shown in image
After saving file restart service with service syslog restart command
Now restart the client so it can send log entry to server. ( Note that these logs will generate when client boot, so do it restart not shutdown)
Check clients log on Log server
To check the message of client on server open
In the end of this file you can check the log from clients
=====================================================================
Also we can use below configuration for setup syslog Server & Client
=====================================================================
Service name: syslog
configuration file: /etc/sysconfig/syslog
Steps:
1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.
[root@server ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#
2. Restart the syslog service.
[root@server ~]# service syslog restart
Configuration for client machines
service name: syslog
Configuration file: /etc/syslog.conf
The configuration file /etc/syslog.conf has two parts
Steps:
1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.
[root@vm1 ~]# cat /etc/syslog.conf
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
##authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[root@vm1 ~]#
2. Restart the service
[root@vm1 ~]# service syslog restart
Checking:
In server open a terminal and watch /var/log/messages and restart syslog service in client.
root@server ~]# tail -f /var/log/messages
Oct 15 14:42:30 vm1 kernel: Kernel logging (proc) stopped.
Oct
15 14:42:30 vm1 kernel: Kernel log daemon terminating.
Oct 15 14:42:31 vm1 exiting on signal 15
Oct 15 14:42:31 vm1 syslogd 1.4.1: restart.
Oct 15 14:42:31 vm1 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Date Hostname Name_of_the_application: Actual_log_message
If syslog port(514) is not open....
check below steps........
#iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
#service iptables save
>>and for flushhing iptables us
iptables -F
netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
>>Verify that port is open
>>Run following command:
netstat -tulpn | less
#service syslog restart
An important part of maintaining a secure system is keeping track of the activities that take place on the system. If you know what usually happens, such as understanding when users log into your system, you can use log files to spot unusual activity. You can configure what syslogd records through the /etc/syslog.conf configuration file.
The syslogd daemon manages all the logs on your system and coordinates with any of the logging operations of other systems on your network. Configuration information for syslogd is held in the /etc/syslog.conf file, which contains the names and locations for your system log files.
By Default system accept the logs only generated from local host. In this example we will configure a log server and will accept logs from client side.
For this example we are using two systems one linux server one linux clients . To complete these per quest of log server Follow this link
basic network configurations Example and Implementations ip configurations hosts files portmap xinetd services
- A linux server with ip address 192.168.0.254 and hostname Server
- A linux client with ip address 192.168.0.1 and hostname Client1
- Updated /etc/hosts file on both linux system
- Running portmap and xinetd services
- Firewall should be off on server
We suggest you to review that article before start configuration of log server. Once you have completed the necessary steps follow this guide.
Check syslog, portmap, xinetd service in system service it should be on#setup Select System service from list [*]portmap [*]xinetd [*]syslogNow restart xinetd and portmap service
To keep on these services after reboot on then via chkconfig command
After reboot verify their status. It must be in running condition
Now open the /etc/sysconfig/syslog file
and locate SYSLOGD_OPTIONS tag
add -r option in this tag to accepts logs from clients
-m 0 disables 'MARK' messages. -r enables logging from remote machines -x disables DNS lookups on messages recieved with -rAfter saving file restart service with service syslog restart command
On Linux client ping from log server and open /etc/syslog.conf file
Now go to the end of file and do entry for serve as user.* @ [ server IP] as shown in image
After saving file restart service with service syslog restart command
Now restart the client so it can send log entry to server. ( Note that these logs will generate when client boot, so do it restart not shutdown)
Check clients log on Log server
In the end of this file you can check the log from clients
=====================================================================
Also we can use below configuration for setup syslog Server & Client
=====================================================================
Centralized
log server (syslog server)
Suppose we
have a server and 5 client machines. And we want to monitor the logs of all
those client machines. In situations like this, we will use centralized server
as a log server. Whatever events are happening in client machines, the logs will
be sent to the server. So that we can monitor all the logs from a centralized
server. We make use of syslog service for this.
Features of syslog:
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
Instaltion Package is sysklogd
[root@apache ~]# rpm -q sysklogd
sysklogd-1.4.1-44.el5
[root@apache ~]#
Or you can check as follows:
[root@apache ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-44.el5
[root@apache ~]#
Starting the syslog daemon
[root@apache ~]# /etc/init.d/syslog start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@apache ~]#
Checking the process name. it is syslogd
[root@apache ~]# ps -ax | grep syslog
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
5190 ? Ss 0:00 syslogd -m 0
5210 pts/0 S+ 0:00 grep syslog
[root@apache ~]#
Features of syslog:
1. Logs the daemon information to localhost
2. Logs the daemon information to Remote host
3. Logs the daemon information to List of users
4. Logs the daemon information to console
Instaltion Package is sysklogd
[root@apache ~]# rpm -q sysklogd
sysklogd-1.4.1-44.el5
[root@apache ~]#
Or you can check as follows:
[root@apache ~]# rpm -qf /etc/syslog.conf
sysklogd-1.4.1-44.el5
[root@apache ~]#
Starting the syslog daemon
[root@apache ~]# /etc/init.d/syslog start
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
[root@apache ~]#
Checking the process name. it is syslogd
[root@apache ~]# ps -ax | grep syslog
Warning: bad syntax, perhaps a bogus '-'? See /usr/share/doc/procps-3.2.7/FAQ
5190 ? Ss 0:00 syslogd -m 0
5210 pts/0 S+ 0:00 grep syslog
[root@apache ~]#
Configuration
of server machine(syslog server)
Service name: syslog
configuration file: /etc/sysconfig/syslog
Steps:
1. Open the /etc/sysconfig/syslog file and add "-r" option to the variable SYSLOGD_OPTIONS as shown below.
[root@server ~]# cat /etc/sysconfig/syslog
# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-r -m 0"
#
Options to klogd
# -2
prints all kernel oops messages twice; once for klogd to decode, and# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-x"
#
SYSLOG_UMASK=077
# set this to a umask value to use for all log files as in umask(1).
# By default, all permissions are removed for "group" and "other".
[root@server ~]#
2. Restart the syslog service.
[root@server ~]# service syslog restart
Shutting
down kernel logger: [ OK ]
Shutting
down system logger: [ OK ]
Starting
system logger: [ OK ]
Starting
kernel logger: [ OK ]
[root@server
~]#
Configuration for client machines
service name: syslog
Configuration file: /etc/syslog.conf
The configuration file /etc/syslog.conf has two parts
Eg:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
[selector field(Facility.priority)] [action field]
They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.
Facility examples are (authpriv,kern,mail,local7 etc)
The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert, emerg(panic(7))
Actions can be regular files, console, list of users, remote machine ip etc.
*.info;mail.none;authpriv.none;cron.none /var/log/messages
[selector field(Facility.priority)] [action field]
They are selector field and actions field. Selector field is again divided into two. Facilities and priorities.
Facility examples are (authpriv,kern,mail,local7 etc)
The priority is one of the following in ascending order: debug(0), info, notice, warning(warn), error(err), crit, alert, emerg(panic(7))
Actions can be regular files, console, list of users, remote machine ip etc.
Steps:
1. Open the configuration file /etc/syslog.conf and add an entry to redirect the logs to the remote server.
[root@vm1 ~]# cat /etc/syslog.conf
# Log
all kernel messages to the console.
#
Logging much else clutters up the screen.
#kern.*
/dev/console
*.* @192.168.0.19# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
##authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
[root@vm1 ~]#
2. Restart the service
[root@vm1 ~]# service syslog restart
Shutting
down kernel logger: [ OK ]
Shutting
down system logger: [ OK ]
Starting
system logger: [ OK ]
Starting
kernel logger: [ OK ]
[root@vm1
~]#
Checking:
In server open a terminal and watch /var/log/messages and restart syslog service in client.
root@server ~]# tail -f /var/log/messages
Oct 15 14:42:30 vm1 kernel: Kernel logging (proc) stopped.
Oct 15 14:42:31 vm1 exiting on signal 15
Oct 15 14:42:31 vm1 syslogd 1.4.1: restart.
Oct 15 14:42:31 vm1 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Fields
in log from remote machine:
Date Hostname Name_of_the_application: Actual_log_message
If syslog port(514) is not open....
check below steps........
#iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
#service iptables save
>>and for flushhing iptables us
iptables -F
netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
>>Verify that port is open
>>Run following command:
netstat -tulpn | less
#service syslog restart
No comments:
Post a Comment