Thursday, March 3, 2011

A simple way to setup a Centralised log Server in Linux

In Linux using UDP, or TCP we can send the logs of various machine into a single machine(Centralised log server).
We need to Configure the machines
1. Server machine - A centralised log server where all the logs are stored.
2. Client machine - which sends logs to the remote machine.

Server side configuration:
1. Open the /etc/rsyslog.conf and find the line "ModLoad" under the 'MODULES' part.

2. If you want to receive the logs by UDP then uncomment the following lines
$ModLoad imudp
$UDPServerRun 514

3. If you want to receive the logs by TCP then uncomment the following lines
#$ModLoad imtcp
#$InputTCPServerRun 514

Note: here 514 is port number

4. Edit the /etc/default/rsyslog file and change the RSYSLOGD_OPTIONS="-r -x -c1"

Note: -r <- Allow remotesystems to log their log entries into the server machine
-x <- Disables DNS lookups on messages received with -r
-c1 or -c2 <- Compatability mode (must not -c3 or -c4 because the compatability mode greater than 2 now allow remot log)

4.1 Restart the rsyslog by $sudo /etc/init.d/rsyslog restart
4.2 Now move to the Client side configuration. After the configuration finished restart the /etc/init.d/rsyslog there also
Now the remote logs are start logged in the log server machine you can veryfy them by $tail /var/log/auth.log. (change user in client machine and see that was logged in the auth.log)
If remote logs not works then do the following steps also in the log-server machine.

5. Open and edit the /etc/default/syslogd file and change the SYSLOGD as follows SYSLOGD="-r -m 0"
Now do the steps 4.1 & 4.2

6. Open and edit /etc/init.d/rsyslog file and change the RSYLOGD_OPTIONS into RSYLOGD_OPTIONS="-r" then do the steps 4.1 & 4.2




Client side configuration:
1. backup the /etc/rsyslog.conf file in anothername say $mv /etc/rsyslog.conf /etc/rsyslog.conf.bak

2. create a new /etc/rsyslog.conf file with the following content.
*.* @Logserver_ipaddress:portnumber


Thats it.. :)
Note: The linux distro am using is BOSS-4.0 (Debian based linux)

No comments: