Tuesday, March 2, 2010

Debian 17

Syslog is included in most Linux distributions. It features the ability to log daemon/service/application information. It can also log to and from other hosts in the network.
By default it listens to the Unix Domain Sockets. But you can also enable it to log from network messages via UDP 514. Syslog is run through the sysklogd daemon. Syslog automatically prepends messages with timestamp.

Syslog's configuration is in /etc/syslog.conf. It is also known as the rules configuration file. The syslog.conf file contains two columns. The left column contain the rules (facilities and levels), and the right column specifies the destination (file, pipe, program, remote host).

Facilities include:
3) LOCAL[0-7]
5) LPR

Levels are as follows:
0) Debug
1) Informational
2) Notice
3) Warning
4) Error
5) Critical
6) Alert
7) Emergency

*.* is a catch-all rule for ALL facilities and ALL levels. Anything .none will prevent messages from that facility from being routed to the destination.

We want syslog to listen to the internet socket. To do this, we add a -r into /etc/default/syslogd. There is a hint as to where to put the -r inside the file. After this, we need to restart sysklogd:
/etc/init.d/sysklogd restart

After that, confirm that sysklogd is listening to UDP 514:
netstat -nulp

To configure your box to send syslog messages to another system:
1) Configure it to listen to UDP 512
2) Modify the rules to route to another box
3) Restart syslog

For example, if I have a Debian listening to UDP 514 with the IP of, then I should have the following rule to send cron syslog messages to it:
cron.* @

You can also use host names like @debiansystem1, but we will need to update the /etc/hosts file: debiansystem1

Cisco routers typically send messages using the "local" facility. To log Cisco messages, add the rule:
local0.* /var/log/cisco

After doing this, do a restart. Then configure the router as shown:
conf t
logging host
logging facility local 0
logging trap 6
logging on

Logging is always done for the selected trap level and higher.

No comments :

Post a Comment