Syslog Overview
by
zenoss
—
last modified
2007-10-26 22:34
Syslog is a UDP protocol format that allows Unix systems send log
messages over networks to centralized log servers. There are
different log server implementations that are used on Unix and Linux
systems, and this document describes some of the servers we have
encountered and how you can set them up to work with Zenoss.
The most common syslog server on Linux is named "sysklogd". It is
installed by default on Fedora Core, RHEL, CentOS, Debian, and Ubuntu.
To set up sysklogd to forward log messages to a remote host you need
to pass the "-r" argument to sysklogd. The "-h" argument instructs
sysklogd to forward log messages received from remote hosts. If you
already have a centralized logger that runs sysklogd then you already
have passed the -r argument. If you want to start forwarding the
messages to zenoss make sure you pass the "-h" argument. You will
also need to append the following to your syslog.conf file:
*.* @zenossserver.yourdomain.com
Another common syslog server found on Linux is named syslog-ng. It is
typically installed as an add-on package in replacement of sysklogd.
It has a configuration file that is easier to manage that sysklogd,
and is much more extendible. When you run syslog-ng you don't need to
pass any additional command line arguments in order for it to listen
on a network port. Instead, you have to add the following
configuration item to syslog-ng.conf:
options { long_hostnames(off);
sync(0);
use_dns (yes);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
# read local messages from /dev/log, and remote messages from 0.0.0.0:514
# Use the following line if FreeBSD:
source src { unix-dgram("/var/run/log"); internal(); };
# If Linux, use:
source src {
internal();
unix-stream("/dev/log" keep-alive(yes) max-connections(100));
pipe("/proc/kmsg");
udp();
};
# Same for either OS:
source net { udp(); };
# send the logs to zenoss:1514 so that zenoss can hear them
destination zenoss {
udp("zenossserver.yourdomain.com" port(1514));
};
# forward local log messages as well log messages we receive from the
network
# to the zenoss server for processing
log { source(src); destination(zenoss); };
log { source(net); destination(zenoss); };
If you already have a syslog server running on your zenoss server you
will need to either stop syslog from listening on port 514 for log
messages, or you will need to reconfigure zensyslog to listen on a
different port (1514 for example). The syslog daemon and zensyslog
cannot both be listening on port 514 for leg messages from the
network.
The easiest thing to do is to shut down your syslog server and allow
zensyslog to listen to port 514. zensyslog can be configured to
produce a logfile that contains similar output as what syslog-ng or
sysklogd produces in /var/log, which allows you to continue using the
filesystem to view logs.
Lastly, you must pass "--parsehost" as a command line option when you
start zensyslog if are employing a relaying logging infrastructure.
For example, if you have A, B, C, and D logging to LogServerA and you
update LogServerA to forward log messages to the zenoss server you
MUST USE the "--parsehost" option. Additionally, we have found that
sysklogd does not support this model because it does not properly
forward the originators address when it relays the message. As a
result, log messages from A, B, C, and D will appear to originate from
LogServerA (rather than from A, B, C, and D). syslog-ng does not have
this deficiency.
The attached document illustrates using Zenoss as the central logging
hub with other centralized loghosts forwarding their messages.
Zenoss News
