On the Syslog-NG log server

On the `Syslog-NG` log server
	Part VI. Assorted servers and services

On the `Syslog-NG` log server

Jurjen Bokma

July 2007

Table of Contents

	Note
ToDo: log over TCP instead of UDP, and encrypt communication between client and server (using a tunnel?) This document shows plain-text logging over UDP. While this is simple, it is hardly bandwidth-efficient, and certainly not secure.

Note

ToDo: log over TCP instead of UDP, and encrypt communication between client and server (using a tunnel?)

This document shows plain-text logging over UDP. While this is simple, it is hardly bandwidth-efficient, and certainly not secure.

Creating a Syslog-NG server

Syslog-NG is an improvement upon syslog with regard to configurability. We followed the SysLog-NG Administrator Guide, in which syslog-ng is documented well.

Procedure 46. Creating a syslog-ng server

Install syslog-ng:

apt-get install syslog-ng

In /etc/syslog-ng/syslog-ng.conf.dist, configure the server to listen to incoming logs:

source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
# enabled --JB 20070718
udp();
};

Uncomment this to make Syslog-NG listen on udp port 514

Restart the daemon:

           /etc/init.d/syslog-ng restart


Now you can see the daemon listen on udp port 514:

           netstat -lpn|grep syslog


    udp        0      0 0.0.0.0:514             0.0.0.0:*                          2692/syslog-ng unix  2      [ ACC ]     STREAM     LISTENING     7009     2692/syslog-ng      /dev/log


Log analyzing Apache on Debian.		Creating a Syslog-NG client