1 Introduction

This exercise demonstrates that it is straightforward to set up a central Linux box as a syslog server which collects logs from other hosts.

2 On the master server (log collector)

As root, edit the file /etc/rsyslog.conf:

# editor /etc/rsyslog.conf

...and find and un-comment the following lines (that is, remove the initial '#' only)

#$ModLoad imudp
#$UDPServerRun 514

change to:

$ModLoad imudp
$UDPServerRun 514

Restart rsyslog:

# service rsyslog restart

3 On the other servers

It is left as an exercise if you wish to use Ansible to make this change on your remote hosts - or you can just do it manually.

On the other (non-master) servers, create a file called /etc/rsyslog.d/00-remote.conf with the following contents:

*.info      @hostN.ws.nsrc.org

where hostN is your master server. And then restart rsyslog as before.

This tells rsyslog to forward all messages of severity "info" or above to the host your have specified.

WARNING Do NOT configure a host to send syslog messages to itself! (e.g. on hostN, do NOT configure @hostN.ws.nsrc.org) Otherwise your disk will rapidly fill up with a storm of syslog messages!

4 Testing

Back on the master host, monitor one of the log files, e.g.

# tail -f /var/log/auth.log

Make a fresh ssh connection from your laptop to one of the other servers. You should find that the log message for the user logging in appears on the master server (in addition to being logged locally on the host itself)

Congratulations, you have a simple centralised log server.

With additional configuration, it is possible to:

• Create separate directories on the logging server for each host
• Create separate directories on the logging server per day and month
• Run tools such as swatch or tenshi to watch your logs and notify you of anomalies