Syslog

From Ever changing code
Revision as of 19:15, 21 July 2013 by Pio2pio (talk | contribs)
Jump to navigation Jump to search

How to configure syslog-ng to receive logs form specific host

I wanted to log messages from Billion BiPac 7800GZ router and Netgear to a specific file on my local Ubuntu 13.04 box. Unfortunately the regular syslog daemon will not allow this. Syslog-ng is a replacement and will remove legacy syslog packages like klogd, sysklogd, rsyslog and ubuntu-minimal. 

# sudo apt-get install syslog-ng

Then edit /etc/syslog-ng/syslog-ng.conf to add udp listening to accept remote syslogs. We could do this under the s_all source, but we need to define a different source so our remote hosts logs do not get mixed in with our regular ones. Place this after source s_all is finished. 

source s_net { udp (); };

Add filter for my Billion router host I use its ip 192.168.1.254 

filter f_billion { host( "192.168.1.254" ); };

Add destination logging file 

destination d_billion { file("/var/log/billion.log"); };

Put all rules together source (s_net); filter (f_billion); destination file (d_billion) into logging rule 

log { source ( s_net ); filter( f_billion); destination ( d_billion); };

Restart syslog-ng 

# sudo /etc/init.d/syslog-ng restart

Since we added a new logfile, we need to modify /etc/logrotate.d/syslog-ng to make sure our new logfile gets rolled. This entry below has to go in before the last one which restarts the syslog-ng daemon. 

/var/log/billion.log {
   rotate 7
   weekly
   missingok
   notifempty
   compress
}
Retrieved from ‘http://wiki.ciscolinux.co.uk/index.php?title=Syslog&oldid=5