The syslog daemon is a utility that provides logging of events (messages) received from programs. It can log events from your local machine as well as from remote machines.
Logging to a remote log server is a good practice to improve the security of your system. This tip will show how to configure a host to send messages to a remote log server through an encrypted connection using stunnel.
First of all let’s start by installing and minimally configuring stunnel on the server and client machines:
In my Linux Gentoo system to download and install stunnel, I simply type:
emerge stunnel
Proceed accordingly to your system: urpmi stunnel (Linux Mandrake), etc.
Note: As syslog is present in almost every Unix system, I assume your syslog daemon is properly configured and running.
Now edit or create /etc/stunnel/stunnel.conf in both the server and the client to look like this:
# stunnel.conf
pid = /var/run/stunnel.pid
setuid = nobody
setgid = nogroup
Configure syslog on the client side to send all the events to the log server by changing /etc/syslog.conf:
# syslog.conf – client side
*.* @logserver
Note that there has to be a TAB character between both fields, syslog does not like spaces.
Then start stunnel and restart syslog as follows :
stunnel /etc/stunnel/stunnel.conf -c -r 192.168.10.11:5140 -d 514
/etc/init.d/syslog restart
First line instructs stunnel to connect as a client to remote log server 192.168.10.11 at port 5140.
Now it is necessary to instruct syslog in the log server to accept messages from the network using an internet domain socket. This is achieved by passing to syslogd the -r option. In Linux Gentoo, edit /etc/conf/sysklogd and change it to look like this:
# Config file for /etc/init.d/sysklogd
SYSLOGD=”-r -m 0″
# send warnings and above to the console
KLOGD=”-c 3 -2″
Change your system accordingly. For example, in some Red Hat based distros, edit and change /etc/sysconfig/syslog.
And now start stunnel on the server:
stunnel /etc/stunnel/stunnel.conf -d 5140 -r localhost:514
Will start stunnel, telling it to run in daemon mode and listen on port 5140 for the incoming connections and forward them to localhost at port 514 where syslog listens.
References:
Is there anything I have to do to point the logs on the server?
Otherwise if the server is set to just log in the usual places won’t it conflict
with the log information coming from the clients?
Could you please update this a little more with regards to controlling the
place the server keeps the logs? And also does it still keep separate logs on
the server? or are they all condensed into one log?
Thanks in advance,
Ministry
How to compile syslog-ng from source…
How to compile syslog-ng from source (Centos 5.3)
I manage several dedicated servers for various clients and just recently decided to setup syslog-ng.
syslog-ng is an open source implementation of the Syslog protocol for *NIX. It extends the orig…