This exercise demonstrates that it is straightforward to set up a central Linux box as a syslog server which collects logs from other hosts.
As root, edit the file /etc/rsyslog.conf:
# editor /etc/rsyslog.conf...and find and un-comment the following lines (that is, remove the initial '#' only)
#$ModLoad imudp
#$UDPServerRun 514
change to:
$ModLoad imudp
$UDPServerRun 514Restart rsyslog:
# service rsyslog restartIt is left as an exercise if you wish to use Ansible to make this change on your remote hosts - or you can just do it manually.
Create a file called /etc/rsyslog.d/00-remote.conf with the following contents:
*.info      @hostN.ws.nsrc.orgwhere hostN is your master server. And then restart rsyslog as before.
(This tells rsyslog to forward all messages of severity "info" or above to the host your have specified)
Back on the master host, monitor one of the log files, e.g.
# tail -f /var/log/auth.logMake a fresh ssh connection from your laptop to one of the other servers. You should find that the log message for the user logging in appears on the master server (in addition to being logged locally on the host itself)
Congratulations, you have a simple centralised log server.
With additional configuration, it is possible to:
swatch or tenshi to watch your logs and notify you of anomalies