By default it listens to the Unix Domain Sockets. But you can also enable it to log from network messages via UDP 514. Syslog is run through the sysklogd daemon. Syslog automatically prepends messages with timestamp.
Syslog's configuration is in /etc/syslog.conf. It is also known as the rules configuration file. The syslog.conf file contains two columns. The left column contain the rules (facilities and levels), and the right column specifies the destination (file, pipe, program, remote host).
Facilities include:
1) MAIL
2) AUTH, AUTHPRIV
3) LOCAL[0-7]
4) KERN
5) LPR
Levels are as follows:
0) Debug
1) Informational
2) Notice
3) Warning
4) Error
5) Critical
6) Alert
7) Emergency
*.* is a catch-all rule for ALL facilities and ALL levels. Anything .none will prevent messages from that facility from being routed to the destination.
We want syslog to listen to the internet socket. To do this, we add a -r into /etc/default/syslogd. There is a hint as to where to put the -r inside the file. After this, we need to restart sysklogd:
/etc/init.d/sysklogd restartAfter that, confirm that sysklogd is listening to UDP 514:
netstat -nulpTo configure your box to send syslog messages to another system:
1) Configure it to listen to UDP 512
2) Modify the rules to route to another box
3) Restart syslog
For example, if I have a Debian listening to UDP 514 with the IP of 192.168.1.1, then I should have the following rule to send cron syslog messages to it:
cron.* @192.168.1.1You can also use host names like @debiansystem1, but we will need to update the /etc/hosts file:
192.168.75.175 debiansystem1Cisco routers typically send messages using the "local" facility. To log Cisco messages, add the rule:
local0.* /var/log/ciscoAfter doing this, do a restart. Then configure the router as shown:
conf t
logging host 192.168.1.1
logging facility local 0
logging trap 6
logging onLogging is always done for the selected trap level and higher.
No comments :
Post a Comment