This article will describe only how to work with rsyslog.if you want to learn in depth just stop reading this ,,search google for resources.,
what is syslog?**
syslog is an utility for tracking and logging all manner of system messages from the merely informational to the extremely critical. Each system message sent to the syslog server has two descriptive labels associated with it that makes the message easier to handle.
1 .The first describes the function (facility) of the application that generated it. For example, applications such as mail and cron generate messages with easily identifiable facilities named mail and cron.
2.The second describes the degree of severity of the message
we can configure syslog's /etc/rsyslog.conf configuration file to place messages of differing severities and facilities in different files.for older version of Fedora the file name was /etc/syslog.conf.
the rsyslog file has two column.
first column lists the facilities and severities of messages to expect.
second column lists the files to which they should be logged.the default configuration of
/etc/rsyslog.conf put most of the messages in the file /var/log/messages.
an example:-
local7.* /var/log/messages
Now the question is how to configure the /etc/rsyslog.conf,but before we start discussion we should know what the '$' sign means here."$" starts lines that contain new directives."#" is used for comment.
here are the steps to configure the file...(but first make sure that you have administrative previlage to access the file. )
1.(at sending end)
configuring the /etc/rsyslog.conf of the host from which the data will be send to central log server:-- we can send messages via tcp or udp.
for tcp we need to prepend the hostname with "@@" sign and need to add a line to this file as
*.* @@192.168.0.1:1234
*.* @@ ip or hostname : port
for udp the syntax is little different.we will use single "@" here.the default port number for udp is 514..
*.*@192.168.0.1 #no need to specify the port when using the default one
2.(at receiving end)
we need to uncomment few lines here in the file.if those lines don't exist or are deleted by some manner.then we need to add these couple of lines to the file
for tcp:-
$ModLoad imtcp
$InputTCPServerRun 1234 #1234 is the port
for udp:-
$ModLoad imdup
$UDPServerRun 514
phew...thank god it has ended at last...
we need to restart the syslog to see the change made by modifying the rsyslog.conf in both of the machine.(server and client)
.make sure the firewall service is not running.to stop the firewall just type the command in the terminal as superuser:-
# service iptables stop
# service iptables status
Firewall is stopped.
#
yah,,we almost have arrived at the end of the movie
so now restart the logging service by typing:-
# service rsyslog restart
All the steps are complete and syslog service is started and it is now writing the log messages to remote machine.but how can i know it is working.so to view the new log entries just execute the following command in the terminal
# tail -f /var/log/messages
note that:we can change the path "/var/log/messages" according to our need.
this is the simple description of how to work with rsyslog.for detail visit:www.rsyslog.com
(**reference:linux Home Networking, rsyslog.com)
