Could some kind soul please tell me how exactly one can send syslog to another machine.
Am I right in deducing that syslog has been replaced by rsyslog?
If so, I do not understand the instructions at the end of /etc/rsyslog.conf , which I assume are intended for remote logging: --------------------------------------------------- # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spppl/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### ---------------------------------------------------
I looked briefly at /usr/share/doc/rsyslog-3.21.3/ but there are 90 html files there none of which seemed very likely to hold the required information.
I did not understand the README in this directory: --------------------------------------------------- This file has been superseeded by the fils in the doc folder. Please see doc/manual.html for futher details. If you are looking for install information doc/install.html is for you! If you do not have the doc set, see http://www.rsyslog.com/doc ---------------------------------------------------
Where exactly is the doc folder?
I notice that there is no man entry for rsyslog but there are man entries for syslog and rsyslog.conf .
I am very confused ...
On Sun, 30 Nov 2008 15:08:35 +0000, Timothy Murphy tim@maths.tcd.ie wrote :
I did not understand the README in this directory:
This file has been superseeded by the fils in the doc folder. Please see doc/manual.html for futher details. If you are looking for install information doc/install.html is for you! If you do not have the doc set, see http://www.rsyslog.com/doc
Where exactly is the doc folder?
Just follow the link above since you have access to the internet.
I notice that there is no man entry for rsyslog but there are man entries for syslog and rsyslog.conf .
Sometimes only the config files are found in the manual pages. It assumes that you know what the utility is about in the first place and that what is most interesting is how to use it eg. by tailoring the configuration file to your needs. Makes a lot of sense I find.
Basically rsyslog works like syslog, but adds a few more options. So simply specify the server (and optional port) to start with and make a few tests by using the logger utility.
*.* @@remote-host:514
Replace remote-host with your remote syslog. 514 is the default well-known syslog port so unless you have set up something else, you can leave it there.
Don't forget to restart/reload rsyslog (or any other syslog daemon for that matter) after doing configuration changes. This sometimes can be done by simply sending the daemon a HUP signal:
killall -HUP daemon
or by restarting it altogether:
/etc/init.d/daemon restart
Hope this helps.
lanas wrote:
Basically rsyslog works like syslog, but adds a few more options. So simply specify the server (and optional port) to start with and make a few tests by using the logger utility.
*.* @@remote-host:514
Replace remote-host with your remote syslog. 514 is the default well-known syslog port so unless you have set up something else, you can leave it there.
Don't forget to restart/reload rsyslog (or any other syslog daemon for that matter) after doing configuration changes. This sometimes can be done by simply sending the daemon a HUP signal:
killall -HUP daemon
or by restarting it altogether:
/etc/init.d/daemon restart
Hope this helps.
Don't forget to configure the host you are logging to so that it will accept logging from an outside machine. By default, it probably doesn't.
Mikkel
Mikkel L. Ellertson wrote:
lanas wrote:
Basically rsyslog works like syslog, but adds a few more options. So simply specify the server (and optional port) to start with and make a few tests by using the logger utility.
*.* @@remote-host:514
Replace remote-host with your remote syslog. 514 is the default well-known syslog port so unless you have set up something else, you can leave it there.
Don't forget to restart/reload rsyslog (or any other syslog daemon for that matter) after doing configuration changes. This sometimes can be done by simply sending the daemon a HUP signal:
killall -HUP daemon
or by restarting it altogether:
/etc/init.d/daemon restart
Hope this helps.
Don't forget to configure the host you are logging to so that it will accept logging from an outside machine. By default, it probably doesn't.
Don't know about the syslog daemon, but it looks as if the firewall rules don't. The good think about using a syslog machine is that the *times* match, the bad thing is that it's a single point of failure, and network connected as well. So for debugging network issues it's suboptimal. ;-)
Bill Davidsen wrote:
Mikkel L. Ellertson wrote:
lanas wrote:
Basically rsyslog works like syslog, but adds a few more options. So simply specify the server (and optional port) to start with and make a few tests by using the logger utility. *.* @@remote-host:514
Replace remote-host with your remote syslog. 514 is the default well-known syslog port so unless you have set up something else, you can leave it there.
Don't forget to restart/reload rsyslog (or any other syslog daemon for that matter) after doing configuration changes. This sometimes can be done by simply sending the daemon a HUP signal:
killall -HUP daemon
or by restarting it altogether:
/etc/init.d/daemon restart
Hope this helps.
Don't forget to configure the host you are logging to so that it will accept logging from an outside machine. By default, it probably doesn't.
Don't know about the syslog daemon, but it looks as if the firewall rules don't. The good think about using a syslog machine is that the *times* match, the bad thing is that it's a single point of failure, and network connected as well. So for debugging network issues it's suboptimal. ;-)
By default, most firewalls don't permit syslog, so you have to open UDP port 514 on the receiving machine.
Also, both the old syslogd and the newer rsyslogd have to have the "-r" option specified for them to actually listen to the network (the "-r" can also have a port number appended, e.g. "-r 514"). Not sure about ng-syslog, but I suspect the same is true.
On Red Hattish machines, options are passed to the syslog daemon by values stuffed into the "SYSLOGD_OPTIONS" line of either the "/etc/sysconfig/syslog" or "/etc/sysconfig/rsyslog" file (depending on which syslog daemon you're running. By default, you'll find
SYSLOGD_OPTIONS="-c 3" (/etc/sysconfig/rsyslog) SYSLOGD_OPTIONS="-m 0" (/etc/sysconfig/syslog)
Prepend that with "-r" (e.g. SYSLOGD_OPTIONS="-r -c 3") and then do a "service syslog restart". It should start listening to the network. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ricks@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - When in doubt, mumble. - ----------------------------------------------------------------------
Rick Stevens wrote:
Also, both the old syslogd and the newer rsyslogd have to have the "-r" option specified for them to actually listen to the network (the "-r" can also have a port number appended, e.g. "-r 514"). Not sure about ng-syslog, but I suspect the same is true.
On Red Hattish machines, options are passed to the syslog daemon by values stuffed into the "SYSLOGD_OPTIONS" line of either the "/etc/sysconfig/syslog" or "/etc/sysconfig/rsyslog" file (depending on which syslog daemon you're running. By default, you'll find
SYSLOGD_OPTIONS="-c 3" (/etc/sysconfig/rsyslog) SYSLOGD_OPTIONS="-m 0" (/etc/sysconfig/syslog)
Prepend that with "-r" (e.g. SYSLOGD_OPTIONS="-r -c 3") and then do a "service syslog restart". It should start listening to the network.
Thanks very much. It seems very complicated.
I wonder if I have taken the right steps?
1) I've uncommented and edited the line *.* @@192.168.2.2:514 in /etc/rsyslog.conf on the client laptop ("mary").
2) I see that the remote machine 192.168.2.2 ("helen"), which is running under Centos-5.2, is actually running syslog rather than rsyslog, and already has SYSLOGD_OPTIONS="-m 0 -r"
3) I've run sudo service rsyslog restart on mary, and . sudo service syslog restart on helen for good measure.
4) I'm running shorewall on helen, so I've added Syslog/ACCEPT loc $FW to /etc/shorewall/rules on helen.
The net effect of all this seems to be that kernel messages are no longer being sent to /var/log/messages on mary, but they are not appearing on helen.
I notice that sudo telnet helen 514 fails. Does telnet only test tcp and not udp?
I tried sudo nmap -sU -F 192.168.2.2 but this never seems to return.
[Incidentally, I tried adding -r to /etc/sysconfig/rsyslog on mary, but she didn't like it, and said the -r option was ignored.]