Syslog

How to configure Ubuntu syslog-ng to receive logs form specific host

I wanted to log messages from Billion BiPac 7800GZ router and Netgear to a specific file on my local Ubuntu 13.04 box. Unfortunately the regular syslog daemon will not allow this. Syslog-ng is a replacement and will remove legacy syslog packages like klogd, sysklogd, rsyslog and ubuntu-minimal.

# sudo apt-get install syslog-ng

Then edit /etc/syslog-ng/syslog-ng.conf to add udp listening to accept remote syslogs. We could do this under the s_all source, but we need to define a different source so our remote hosts logs do not get mixed in with our regular ones. Place this after source s_all is finished.

source s_net { udp (); };

Add filter for my Billion router host I use its ip 192.168.1.254

filter f_billion { host( "192.168.1.254" ); };

Add destination logging file

destination d_billion { file("/var/log/billion.log"); };

Put all rules together source (s_net); filter (f_billion); destination file (d_billion) into logging rule

log { source ( s_net ); filter( f_billion); destination ( d_billion); };

Restart syslog-ng

# sudo /etc/init.d/syslog-ng restart

Verify that syslog-ng demon is listening

# netstat -lu | grep syslog
udp        0      0 *:syslog                *:*
# netstat -ln | grep :514
udp        0      0 0.0.0.0:514             0.0.0.0:*

Since we added a new logfile, we need to modify /etc/logrotate.d/syslog-ng to make sure our new logfile gets rolled. This entry below has to go in before the last one which restarts the syslog-ng daemon.

/var/log/billion.log {
   rotate 7
   weekly
   missingok
   notifempty
   compress
}

How to set it up Billion & Netgear sending syslog messages

Netgear

Navigate to web interface (default ip: 192.168.1.254) > Logs > Syslog section choose: Send to this Syslog server IP address [192.168.1.250] > apply !Note: in this example our Ubuntu box is configured with static ip address 192.168.1.250