Syslog-ng and Ubuntu Gutsy

Ubuntu

I have run Kiwi syslog server on window for years however it is starting to show its age. I figure why not move to an open platform that rocks! The great thing is that Syslog-ng on Ubuntu is configured as a drop in replacement to sysklog ( the default logger daemon). The first thing we need to do is grab and install syslog-ng.

sudo atp-get syslog-ng

Once this has been completed its time we pop open it’s config file and make some needed changes to allow for the reception of remote systems syslogs.

sudo vi /etc/syslog-ng/syslog-ng.conf

Once in the file we need to add the following source. Keep in mind that the conf file is oroganized but you can add all of these entries at the bottom of the file.

source s_net { udp (); };

Now we need to add the following to do something with our new logs:

destination df_all_remote_syslogs { file(“/var/log/remote_systems.log”); };
log { source ( s_net ); destination ( df_all_remote_syslogs); };

Write the conf file to disk and restart syslog-ng:

sudo /etc/init.d/syslog-ng restart

The above entry will take all syslogs from remote systems and write them to the file /var/log/remote_systems.log . If however you want to keep things a bit more organized we could do something like the following:

filter f_server_3 { host( “10.1.1.3” ); };
destination df_server_3 { file(“/var/log/server_3.log”); };
log { source ( s_net ); filter( f_server_3 ); destination ( df_server_3 ); };

The above entries will take all syslogs from host 10.1.1.3 and write them to file /var/log/server_3.log .

Lastly, if your like me you would like to receive emails to you local email server for certain syslog messages. To do this we need to use a combinations of the items above and an external mailer application by the name of Mutt.

sudo apt-get install mutt

Get back into the syslog-ng.conf file and add the following:

filter f_windows_errors { host( “10.1.1.3” ) or host( “10.1.1.4” ) and facility(local0) and level(error); };
destination email_alert_script {program (“/usr/local/bin/alert_mail.sh”); };
log { source ( s_net ); filter(f_windows_errors ); destination ( email_alert_script ); };

The above entry will look for local0.error messages recieved from either of the two IPs listed and send them to the mailer application script. Go ahead and write the syslog-ng.conf file to disk and restart the daemon. We now need to create the mailer script.

sudo vi /usr/local/bin/alert_mail.sh

This will be a new file, enter in the following commands:

#!/bin/sh
while read line; do
echo $line | mutt -s “Syslog Alert $host” your_name@your_domain.com
done

Write that file to disk and mark it as being executable:

sudo chmod 744 /usr/local/bin/alert_mail.sh

Lastly, because these logs will grow in size it would be nice to rotate and compress them on a schedule.

sudo vi /etc/logrotate.d/syslog-ng

Add an entry like this for each log file you wish to rotate:

/var/log/windows_systems.log {
rotate 4
weekly
missingok
notifempty
compress
}

Thats about it, now just configure all of your systems to syslog to your new syslog-ng server and enjoy!

Leave a Reply

Your email address will not be published. Required fields are marked *