Thursday, July 16, 2015

RHEL6 Log syslog set up

syslog is a used for message logging. It allow to save, redirect the system generated message save locally or on remote system. Later, we can analyzer the log to find the cause of the alert. By default it runs on port 514 UDP.

Syslog is set up by category.priority (e.g. mail, cron, authentication, etc)
Config file: /etc/rsyslog.conf
Default port: 514
# grep 514 /etc/services

Facilities:
auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7

Priorities:
debug,info,notice,warning,err,crit,alert,emerg

Lets say our log server is 192.168.10.110


To log authentication (all priorities) to the log server:
authpriv.* @192.168.10.10:514

To log all emergency (all facilities) to the same log server
*.emerg @192.168.10.110:514

To log every thing (all facilities/priorities)
*.* @192.168.10.110:514


Note: By default the port is UDP. If you want to set up to listen on both UDP/TCP socket, use @ for UDP and @@ for TCP
@ = UDP
@@ = TCP

same above example can be done,
authpriv.* @@192.168.10.10:514
*.emerg @@192.168.10.110:514
*.* @@192.168.10.110:514

Once you make change, restart the service
# service rsyslog restart

To verify it works, run following command below and check on your remote server.
# logger -p category.priority "Testing remote logging"
# logger -p user.emerg "Testing logger on remote server"

On remote server, on the location where log is dumped, tail the file
# tail -f messages
Jul 16 12:10:05 hostname  userid: [ID 152207 user.emerg] Testing logger on remote server

No comments:

Post a Comment