Sending syslog messages to a remote syslog server

Sending syslog messages to a remote syslog server

Post by John Jesmi » Sat, 04 Oct 2003 04:14:46



I have successfully setup a centralized syslog server on Linux
accepting logs from remote clients.
The /etc/syslog.conf file on Linux (192.168.1.20) is configured as
follows:
*.*                               /var/log/mainlog

I have remote Linux, Windows, Snort, HP JetDirects, and Cisco devices
logging to it.  I have not been able to get Solaris to send logs
though.
The /etc/syslog.conf file on Solaris 7.0 (192.168.1.10) is configured
as follows:


The /etc/hosts file on Solaris is configured as follows:
192.168.1.20 loghost

After restarting syslog (etc/init.d/syslog stop and then a start), I
do not see any logs being sent.  I tried to log into telnet with an
incorrect password, and /var/adm/ had a log file that shows I
attempted this, but the Linux box did not.

My question is...Are either of these correct?  I would prefer to use

understand that the second line should work as well.  Any ideas?

 
 
 

Sending syslog messages to a remote syslog server

Post by Barry Margoli » Sat, 04 Oct 2003 04:35:10




>The /etc/syslog.conf file on Solaris 7.0 (192.168.1.10) is configured
>as follows:

>*.                                ifdef(`LOGHOST', /var/log/syslog,

>The /etc/hosts file on Solaris is configured as follows:
>192.168.1.20 loghost

>After restarting syslog (etc/init.d/syslog stop and then a start), I
>do not see any logs being sent.  I tried to log into telnet with an
>incorrect password, and /var/adm/ had a log file that shows I
>attempted this, but the Linux box did not.

>My question is...Are either of these correct?  I would prefer to use

>understand that the second line should work as well.  Any ideas?

*.* should be *.debug.  The second field is a severity level, and is
interpreted as that level and all higher levels.  So to get all severities,
you specify the lowest level, which is "debug".

I'm not sure what your second line is intended to be -- you seem to have
left out the level entirely.

--

Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.

 
 
 

Sending syslog messages to a remote syslog server

Post by georg » Sat, 04 Oct 2003 12:46:41


I might be wrong but *.* , I dont  think is valid syntax . I cant remember
but either the facility or level cant have a wildcard. I cant remember
which. I do know only one of them can have a wildcard.
You could start syslog with the -d ( debug |) option to see if there are
syntax errors in the syslog.conf file .
George
 
 
 

Sending syslog messages to a remote syslog server

Post by sharo » Sun, 05 Oct 2003 14:20:45



> I have successfully setup a centralized syslog server on Linux
> accepting logs from remote clients.
> The /etc/syslog.conf file on Linux (192.168.1.20) is configured as
> follows:
> *.*                               /var/log/mainlog

> I have remote Linux, Windows, Snort, HP JetDirects, and Cisco devices
> logging to it.  I have not been able to get Solaris to send logs
> though.
> The /etc/syslog.conf file on Solaris 7.0 (192.168.1.10) is configured
> as follows:

> *.                                ifdef(`LOGHOST', /var/log/syslog,

> The /etc/hosts file on Solaris is configured as follows:
> 192.168.1.20 loghost

> After restarting syslog (etc/init.d/syslog stop and then a start), I
> do not see any logs being sent.  I tried to log into telnet with an
> incorrect password, and /var/adm/ had a log file that shows I
> attempted this, but the Linux box did not.

> My question is...Are either of these correct?  I would prefer to use

> understand that the second line should work as well.  Any ideas?

Hi John,

I would suggest checking out this page:

http://www.gl.umbc.edu/~jack/ifsm498d/syslog.html

It will explain more clearly how syslog works and should help you set
up your syslog correctly.  I've successfully setup a logserver and
directed all logging messages to it.  I setup and used the various
locals (also talked about on that page.)

good luck,

Sharona

 
 
 

Sending syslog messages to a remote syslog server

Post by ales.roman.. » Sun, 05 Oct 2003 15:38:15



> I have successfully setup a centralized syslog server on Linux
> accepting logs from remote clients.
> The /etc/syslog.conf file on Linux (192.168.1.20) is configured as
> follows:
> *.*                               /var/log/mainlog

> I have remote Linux, Windows, Snort, HP JetDirects, and Cisco devices
> logging to it.  I have not been able to get Solaris to send logs
> though.
> The /etc/syslog.conf file on Solaris 7.0 (192.168.1.10) is configured
> as follows:


Severity cannot have Wildcards. You can do *.crit, but no mail.*.
I suggest you do

# /etc/init.d/syslog stop
# syslogd -d

which will go to interactive mode with debug function. Any error you
have, it will be shown.
Then repair /etc/syslog.conf and start syslog with

# /etc/init.d/syslog start

> *.                                ifdef(`LOGHOST', /var/log/syslog,

> The /etc/hosts file on Solaris is configured as follows:
> 192.168.1.20 loghost

> After restarting syslog (etc/init.d/syslog stop and then a start), I
> do not see any logs being sent.  I tried to log into telnet with an
> incorrect password, and /var/adm/ had a log file that shows I
> attempted this, but the Linux box did not.

> My question is...Are either of these correct?  I would prefer to use

> understand that the second line should work as well.  Any ideas?

 
 
 

Sending syslog messages to a remote syslog server

Post by John Jesmi » Wed, 08 Oct 2003 04:18:32





> > I have successfully setup a centralized syslog server on Linux
> > accepting logs from remote clients.
> > The /etc/syslog.conf file on Linux (192.168.1.20) is configured as
> > follows:
> > *.*                               /var/log/mainlog

> > I have remote Linux, Windows, Snort, HP JetDirects, and Cisco devices
> > logging to it.  I have not been able to get Solaris to send logs
> > though.
> > The /etc/syslog.conf file on Solaris 7.0 (192.168.1.10) is configured
> > as follows:

> Severity cannot have Wildcards. You can do *.crit, but no mail.*.
> I suggest you do

> # /etc/init.d/syslog stop
> # syslogd -d

> which will go to interactive mode with debug function. Any error you
> have, it will be shown.
> Then repair /etc/syslog.conf and start syslog with

> # /etc/init.d/syslog start
> > *.                                ifdef(`LOGHOST', /var/log/syslog,

> > The /etc/hosts file on Solaris is configured as follows:
> > 192.168.1.20 loghost

> > After restarting syslog (etc/init.d/syslog stop and then a start), I
> > do not see any logs being sent.  I tried to log into telnet with an
> > incorrect password, and /var/adm/ had a log file that shows I
> > attempted this, but the Linux box did not.

> > My question is...Are either of these correct?  I would prefer to use

> > understand that the second line should work as well.  Any ideas?

I am going to try the following in my syslog.conf file:


Hopefully this works and I will be able to send everything to the
remote loghost.  Thanks for all of your replies.

JJ

 
 
 

Sending syslog messages to a remote syslog server

Post by Darren Dunha » Wed, 08 Oct 2003 05:11:04



> I am going to try the following in my syslog.conf file:


One would assume you mean


--

Unix System Administrator                    Taos - The SysAdmin Company
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

 
 
 

1. Tuning syslog/Syslog reporting/Syslog enhancement/replacements

Hello,

        I have been investigating using syslog's logging facilities. I have
currently set up our network to log to a central logging host. In my
preliminary attempts, I have set up syslog to dump everything to a single file,
which gets messy. I've sorted out the files now, and I have noticed that
certain applications such as telnetd and ftpd write to the LOG_MAIL facility.
Is there
a way to alter the logging facility that they report to, or will I have to have
modified binaries to handle this? I'm mostly concerned with our AIX machines
but we also have HPUX, Sunos/Solaris, and OSF. I could very well have it dump
all
information and sort out the data based on rules I develop using
sed/awk/perl/grep (whatever), But it would be nicer if it were done by
syslog/programs writing to syslog.

        Also, is anyone familiar with any other logging utilities? I would be grateful
for some help/advice or some pointers to where to find this information.

Thanks for your help.

Adam

2. Linux on the Mac vs Linux on PC

3. creating different syslog file /var/log/syslog.0 /var/log/syslog.1...

4. bind address in use; netstat and tcp

5. Syslog.conf and remote syslog entries

6. Function equivalent to rstat() in Linux

7. Syslog question - getting other hosts' syslog messages

8. Hardware bypass for bridge.

9. Sending Solaris syslog activity to a remote host

10. how do I stop bootpd from sending messages to syslog

11. sending messages to the syslog

12. How to send a syslog message by E-mail?

13. please help with logging remote messages with syslog daemon