my Linux Syslog Server experience

[kcbell]

I have been trying to setup a syslog server to collect syslog messages from all the routers and switches at work by using Linux OS. First of all, I am a beginner of Linux. I tried on RHLS/Fedora 5 and 6. I searched the web for information on how to setup a Syslog server with Linux. I found the following.

1) vi \etc\init.d\sysklogd and change the

syslog=”” to syslog=”-r –m 0” the “-r” flag is to listen from remote host.

2) vi \etc\syslog.conf and add

"local7.* \var\log\cisco.log"

After I did the above, then I tried to generate some syslog messages with the Cisco switch. My Kiwisyslog server saw the messages but not my Linux server.

Now what?

I downloaded the Kiwi Syslog Generator for PC – a freeware. This is a MUST have tool if you are debugging your Syslog server.

After days of troubleshooting, following is my findings:

- After days of trying on a Fedora 5 server, the above was working the first time when I set it up with a Debian server. Debian claims that their package is perfect for beginner to learn Linux because it installs the very basic packages. Then you must install the package that you need. It does not even give you the GUI. In that regard, I think they are right!

- The Fedora 5 \etc\init.d\syslog file has a bug – I think. Below is the section that I modified.

**********************************
# Source config
if [ -f /etc/sysconfig/syslog ] ; then
. /etc/sysconfig/syslog
else
SYSLOGD_OPTIONS="-m 0 -r"
KLOGD_OPTIONS="-2"
fi

SYSLOGD_OPTIONS="-m 0 -r"
KLOGD_OPTIONS="-2"
**********************************

I copied the two lines between the “else” and “fi” and pasted them below the “fi” then I can see the “-m 0 –r” flags are executed when I checked the arguments field under "System Monitor".

Then it still did not work! Not what?

I used “tcpdump –nli eth0 udp port 514 –v” and saw that syslog messages did arrive at the NIC.
I used “netstat –a | grep syslog” to see the syslog port was opened to listen.

I thought the only thing left was, most likely, something blocking the port – but what? What is the name of the firewall for Linux? I looked at all the services that were running. I stopped “iptables” then the syslog messages were scrolling up the screen with the “tail – f /var/log/cisco.log” command.

Next I will figure out what need to be done to allow syslog port to work with iptables.

I hope this help some of you network folks hesitate to ask the UNIX folks how to setup a syslog server using Linux. Some of my co-workers(UNIX Admin) never setup a centralized syslog server before. When I asked them how to do it, they laughed at me and went away. Now I know why - because they don't know how!

kcbell

 

[helpdeskdan]

I use ubuntu myself. It's like Debian, except easy to use. Firestarter is a popular firewall - have you checked to make sure that isn't running?

Interesting post! Keep us informed!

 

[cetel]

after to read your post i have been surfing by internet and i could configure syslog over mandrake 9.0 and the switch that fordward the message is catalyst 6500. my configuration is:

1° setup the syslog server

On the system you want to use as the syslog server, edit the file /etc/sysconf/syslog, and add '-r' as follows:

# Options to syslogd
# -m 0 disables 'MARK' messages.
# -r enables logging from remote machines
# -x disables DNS lookups on messages recieved with -r
# See syslogd(8) for more details
SYSLOGD_OPTIONS="-m 0 -r"
# Options to klogd
# -2 prints all kernel oops messages twice; once for klogd to decode, and
# once for processing with 'ksymoops'
# -x disables all klogd processing of oops messages entirely
# See klogd(8) for more details
KLOGD_OPTIONS="-2"

Now, restart syslog, and confirm that syslog is listening on port 514 (the syslog port):

root@ALVARO#service syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]
root@ALVARO#netstat -an|grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*

And I can add this to a separate file on the log server by adding the following to the /etc/syslog.conf file:

# Cisco router logging
local2.* -/var/log/cisco_switch.log

root@ALVARO#service syslog restart

Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Starting kernel logger: [ OK ]

2° Syslog and Cisco Catalyst 6500

To get the cisco switch (running Cisco IOS) to log to the syslog server, execute the following commands:

cat6500#conf t
cat6500(config)#ip host switchlog 192.168.1.2
cat6500(config)#logging host switchlog
cat6500(config)#logging trap notifications
cat6500(config)#logging facility local2
cat6500(config)#int gi2/20
cat6500(config-if)#logging link-status
cat6500(config-if)#logging spanning-tree status

- If ports are trunks

cat6500(config-if)#logging trunk-status
cat6500(config-if)#end
cat6500#

then i did a proof and it is work!!!

 

[kcbell]

helpdeskdan:

After I stopped the iptables (the firewall) service, everything is working fine. Being a newbie in Linux, I spent the most time trying to figure out why SYSLOGD_OPTIONS="-m 0 -r" was not working. What I saw was in System Monitor was just "-m 0" argument.

Like you and other reader's comment, not every Linux is the same. Thanks for your comment.

kcbell