Topic: How do you enable SYSLOG Forwarding?

[bloxguy]

How do i take all of the information that is being written to /var/logs and send it to an upstream SYSLOG collector over port 514?

I would prefer not to have to install an agent (SPLUNK, LOGRHYTHM) to do this.
SYSLOG forwarding is a normal function of *NIX; just need to understand how to enable this on SME.

Any/All help is appreciated. Thanks!

[warren]

See Here

http://forums.contribs.org/index.php/topic,36737.msg163675.html#msg163675

[bloxguy]

following the directions in the link... not sure if this was tested; but it doesn't work.
i've tested with the 00filenames as suggested and replaced with both IP and IP:PORT
and the system is not relaying any information to the upstream SYSLOG server.

moreover, this tip was for SME 7.x
and i tested with wireshark, and there is no traffic coming from the SME over SYSLOG/514.

[guest22]

I'm sure somebody will pick up on this within the next 24 hours. Hang in there...

[warren]

following the directions in the link... not sure if this was tested; but it doesn't work.
i've tested with the 00filenames as suggested and replaced with both IP and IP:PORT
and the system is not relaying any information to the upstream SYSLOG server.

moreover, this tip was for SME 7.x
and i tested with wireshark, and there is no traffic coming from the SME over SYSLOG/514.

the link was a starting point......

create the custom template

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/syslog.conf
In testing i want the following to go to a remote server  : auth  authpriv  daemon  kern  syslog

copy :
/etc/e-smith/templates/etc/syslog.conf/auth
/etc/e-smith/templates/etc/syslog.conf/authpriv
/etc/e-smith/templates/etc/syslog.conf/daemon
/etc/e-smith/templates/etc/syslog.conf/kern
/etc/e-smith/templates/etc/syslog.conf/syslog

to /etc/e-smith/templates-custom/syslog.conf

Modify the fragments to look like :

Code: [Select]

authpriv.*                                      @192.168.1.170
Exxpand template

Code: [Select]

expand-template /etc/syslog.conf
Restart syslog

Code: [Select]

service syslog condrestart
Restart syslog on the remote machine as well

I now have logging details from main server ( 192.168.1.1) going to test server  ( 192.168.1.170 )

Code: [Select]

Sep 20 11:11:17 proxmoxsme kernel: Symbols match kernel version 2.6.18.
Sep 20 11:11:17 proxmoxsme kernel: No module symbols loaded - kernel modules not enabled.
Sep 20 11:11:32 192.168.1.1 exiting on signal 15
Sep 20 11:11:32 192.168.1.1 syslogd 1.4.1: restart.
Sep 20 11:11:32 192.168.1.1 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Sep 20 11:11:32 192.168.1.1 kernel: Inspecting /boot/System.map-2.6.18-371.12.1.el5
Sep 20 11:11:32 192.168.1.1 kernel: Loaded 30910 symbols from /boot/System.map-2.6.18-371.12.1.el5.
Sep 20 11:11:32 192.168.1.1 kernel: Symbols match kernel version 2.6.18.
Sep 20 11:11:32 192.168.1.1 kernel: No module symbols loaded - kernel modules not enabled.
Sep 20 11:12:00 192.168.1.1 mountd[26965]: Caught signal 15, un-registering and exiting.
Sep 20 11:12:00 192.168.1.1 kernel: nfsd: last server has exited
Sep 20 11:12:00 192.168.1.1 kernel: nfsd: unexporting all filesystems
Sep 20 11:12:01 192.168.1.1 kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
Sep 20 11:12:01 192.168.1.1 kernel: NFSD: starting 90-second grace period
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Maximum of 100 connections reduced to 5, not enough IP addresses given
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Manager process started
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Maximum of 5 connections available
Sep 20 11:12:01 192.168.1.1 dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Sep 20 11:12:01 192.168.1.1 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Sep 20 11:12:01 192.168.1.1 dhcpd: All rights reserved.
Sep 20 11:12:01 192.168.1.1 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 0 deleted host decls to leases file.
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 0 new dynamic host decls to leases file.
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 55 leases to leases file.
Sep 20 11:12:02 192.168.1.1 dhcpd: Listening on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:02 192.168.1.1 dhcpd: Sending on   LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:02 192.168.1.1 dhcpd: Sending on   Socket/fallback/fallback-net
Sep 20 11:12:15 192.168.1.1 mountd[27722]: Caught signal 15, un-registering and exiting.
Sep 20 11:12:15 192.168.1.1 kernel: nfsd: last server has exited
Sep 20 11:12:15 192.168.1.1 kernel: nfsd: unexporting all filesystems
Sep 20 11:12:15 192.168.1.1 kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
Sep 20 11:12:15 192.168.1.1 kernel: NFSD: starting 90-second grace period
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Maximum of 100 connections reduced to 5, not enough IP addresses given
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Manager process started
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Maximum of 5 connections available
Sep 20 11:12:16 192.168.1.1 dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Sep 20 11:12:16 192.168.1.1 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Sep 20 11:12:16 192.168.1.1 dhcpd: All rights reserved.
Sep 20 11:12:16 192.168.1.1 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 0 deleted host decls to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 0 new dynamic host decls to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 55 leases to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Listening on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:16 192.168.1.1 dhcpd: Sending on   LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:16 192.168.1.1 dhcpd: Sending on   Socket/fallback/fallback-net

[root@proxmoxsme syslog]#

to undo, remove custom templates and restart syslog


Note on the test server i opened udp and tcp port 514, and forwarded incoming from 192.168.1.1 to localhost on the test server;

also created custom template on the test server :

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/syslog

with fragment :
10NoMARKs

containing :

Code: [Select]

cat /etc/e-smith/templates-custom/etc/sysconfig/syslog/10NoMARKs

Code: [Select]

# we don't want the MARK ticks
SYSLOGD_OPTIONS="-r -m 0"


[guest22]

the link was a starting point......

Added to the wiki http://wiki.contribs.org/SYSLOG_Forwarding

@warren, thanks. Would you be able to check/verify the wiki content please?

TIA

guest

[stephdl]

someone to try for sme9 ?
@hwang you battle me for the wiki editing

[warren]

Added to the wiki http://wiki.contribs.org/SYSLOG_Forwarding

@warren, thanks. Would you be able to check/verify the wiki content please?

TIA

guest

May need to clarify this : ( add expanding of /etc/sysconfig/syslog )

The new templates need to be expanded by:

expand-template /etc/syslog.conf
expand-template /etc/sysconfig/syslog

[guest22]

May need to clarify this : ( add expanding of /etc/sysconfig/syslog )

Done, thanks.

[warren]

Done, thanks.

@hwang
Thank you for adding this to the wiki / docs . All of us benefit from this