Home‎ > ‎unix/linux‎ > ‎

syslog-ng




Install on Centos 7: 

Syslog-ng is not in the normal yum path, so you need to first setup/point to the epel-release
yum -y install epel-release
yum -y repolist
yum -y update
reboot

Then install syslog-ng
yum install syslog-ng

Turn on Syslog-ng
systemctl enable syslog-ng
systemctl start syslog-ng

and if your running centos 7, remove the default logging service
yum erase rsyslog


Understanding the syslog config

There is one config file that manages everything.  In Centos7, its located here: 
vim /etc/syslog-ng/syslog-ng.conf

There are four sections of the file that are important to note.  

Sources Section

This describes the different methods for accepting data.  It also applies variables to those inputs.  For example, in the following all internal and system logs will be assigned to "s_sys", and anything accepted via udp port 514 will be assigned to "s_net_udp".  
 
source s_sys {
    system();
    internal();
};

source s_net_udp {
    network(
        transport("udp")
        port(514)
    );

};

Filter Section

Here we can filter out traffic that we don't want (or do want).  
filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };


Destination Section 

Where the data should go, or in other words, what files everything should be tossed to.  (Note that syslog-ng has all sorts of other methods for putting data other than just writing them to files.)

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

destination d_sorted { file("/var/log/syslog/${HOST}/${YEAR}_${MONTH}_${DAY}.log" create-dirs(yes)); };

Log Section (the glue)

Link sources to a filter, and then spit the output to a destination.   If we look at the bottom line, we're taking traffic from UDP:514, and running the "f_default" filter on it, and then taking that output, and sending it to the "d_sorted" destination, which creates directories by hostname, and then date of the log.  
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

log { source(s_net_udp); filter(f_default); destination(d_sorted); };


Review: 

In review, graphically, it looks like the following.  

IPTables/Firewalld

External traffic needs to get to the syslog server from the outside.  It might be blocked by the servers ACLs.  To open up the service, use the following statements. 

Firewalld

Confirm what interfaces are on what zones
[root]# firewall-cmd --get-active-zones
public
  interfaces: ens160

Add syslog to the public zone
[root]# firewall-cmd --zone=public --permanent --add-service=syslog
success



Cron

If you need to delete older files from your server, you can do this with the find tool and run it daily in cron.  
From root, edit cron

# crontab -e


# Root Cron Jobs:
# where:
# 0 1 * * *  USERNAME /path/to/command arg1 arg2
# means @ 1:00am everyday, as "USERNAME", run the "command" with the following arguments
#
# /----------- Minute (0 - 59)
# | /--------- Hour (0 - 23)
# | | /------- Day of month (1 - 31)
# | | | /----- Month (1 - 12)
# | | | | /--- Day of week (0 - 7) (Sunday=0 or 7)
# | | | | |

  0 2 * * * find /var/log/syslog -name *.log -mtime +7 -delete 2>&1 | /usr/bin/logger -t delete_syslog_files_older_then_7_days





References: 
Comments