Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: bloxguy on September 19, 2014, 06:49:16 PM
-
How do i take all of the information that is being written to /var/logs and send it to an upstream SYSLOG collector over port 514?
I would prefer not to have to install an agent (SPLUNK, LOGRHYTHM) to do this.
SYSLOG forwarding is a normal function of *NIX; just need to understand how to enable this on SME.
Any/All help is appreciated. Thanks!
-
See Here
http://forums.contribs.org/index.php/topic,36737.msg163675.html#msg163675 (http://forums.contribs.org/index.php/topic,36737.msg163675.html#msg163675)
-
following the directions in the link... not sure if this was tested; but it doesn't work.
i've tested with the 00filenames as suggested and replaced with both IP and IP:PORT
and the system is not relaying any information to the upstream SYSLOG server.
moreover, this tip was for SME 7.x
and i tested with wireshark, and there is no traffic coming from the SME over SYSLOG/514.
-
I'm sure somebody will pick up on this within the next 24 hours. Hang in there...
-
following the directions in the link... not sure if this was tested; but it doesn't work.
i've tested with the 00filenames as suggested and replaced with both IP and IP:PORT
and the system is not relaying any information to the upstream SYSLOG server.
moreover, this tip was for SME 7.x
and i tested with wireshark, and there is no traffic coming from the SME over SYSLOG/514.
the link was a starting point......
create the custom template
mkdir -p /etc/e-smith/templates-custom/etc/syslog.conf
In testing i want the following to go to a remote server : auth authpriv daemon kern syslog
copy :
/etc/e-smith/templates/etc/syslog.conf/auth
/etc/e-smith/templates/etc/syslog.conf/authpriv
/etc/e-smith/templates/etc/syslog.conf/daemon
/etc/e-smith/templates/etc/syslog.conf/kern
/etc/e-smith/templates/etc/syslog.conf/syslog
to /etc/e-smith/templates-custom/syslog.conf
Modify the fragments to look like :
authpriv.* @192.168.1.170
Exxpand template
expand-template /etc/syslog.conf
Restart syslog
service syslog condrestart
Restart syslog on the remote machine as well
I now have logging details from main server ( 192.168.1.1) going to test server ( 192.168.1.170 )
Sep 20 11:11:17 proxmoxsme kernel: Symbols match kernel version 2.6.18.
Sep 20 11:11:17 proxmoxsme kernel: No module symbols loaded - kernel modules not enabled.
Sep 20 11:11:32 192.168.1.1 exiting on signal 15
Sep 20 11:11:32 192.168.1.1 syslogd 1.4.1: restart.
Sep 20 11:11:32 192.168.1.1 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Sep 20 11:11:32 192.168.1.1 kernel: Inspecting /boot/System.map-2.6.18-371.12.1.el5
Sep 20 11:11:32 192.168.1.1 kernel: Loaded 30910 symbols from /boot/System.map-2.6.18-371.12.1.el5.
Sep 20 11:11:32 192.168.1.1 kernel: Symbols match kernel version 2.6.18.
Sep 20 11:11:32 192.168.1.1 kernel: No module symbols loaded - kernel modules not enabled.
Sep 20 11:12:00 192.168.1.1 mountd[26965]: Caught signal 15, un-registering and exiting.
Sep 20 11:12:00 192.168.1.1 kernel: nfsd: last server has exited
Sep 20 11:12:00 192.168.1.1 kernel: nfsd: unexporting all filesystems
Sep 20 11:12:01 192.168.1.1 kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
Sep 20 11:12:01 192.168.1.1 kernel: NFSD: starting 90-second grace period
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Maximum of 100 connections reduced to 5, not enough IP addresses given
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Manager process started
Sep 20 11:12:01 192.168.1.1 pptpd[27737]: MGR: Maximum of 5 connections available
Sep 20 11:12:01 192.168.1.1 dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Sep 20 11:12:01 192.168.1.1 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Sep 20 11:12:01 192.168.1.1 dhcpd: All rights reserved.
Sep 20 11:12:01 192.168.1.1 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 0 deleted host decls to leases file.
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 0 new dynamic host decls to leases file.
Sep 20 11:12:01 192.168.1.1 dhcpd: Wrote 55 leases to leases file.
Sep 20 11:12:02 192.168.1.1 dhcpd: Listening on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:02 192.168.1.1 dhcpd: Sending on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:02 192.168.1.1 dhcpd: Sending on Socket/fallback/fallback-net
Sep 20 11:12:15 192.168.1.1 mountd[27722]: Caught signal 15, un-registering and exiting.
Sep 20 11:12:15 192.168.1.1 kernel: nfsd: last server has exited
Sep 20 11:12:15 192.168.1.1 kernel: nfsd: unexporting all filesystems
Sep 20 11:12:15 192.168.1.1 kernel: NFSD: Using /var/lib/nfs/v4recovery as the NFSv4 state recovery directory
Sep 20 11:12:15 192.168.1.1 kernel: NFSD: starting 90-second grace period
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Maximum of 100 connections reduced to 5, not enough IP addresses given
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Manager process started
Sep 20 11:12:15 192.168.1.1 pptpd[28042]: MGR: Maximum of 5 connections available
Sep 20 11:12:16 192.168.1.1 dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Sep 20 11:12:16 192.168.1.1 dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Sep 20 11:12:16 192.168.1.1 dhcpd: All rights reserved.
Sep 20 11:12:16 192.168.1.1 dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 0 deleted host decls to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 0 new dynamic host decls to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Wrote 55 leases to leases file.
Sep 20 11:12:16 192.168.1.1 dhcpd: Listening on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:16 192.168.1.1 dhcpd: Sending on LPF/eth0/a0:b3:cc:e1:81:00/192.168.1/24
Sep 20 11:12:16 192.168.1.1 dhcpd: Sending on Socket/fallback/fallback-net
[root@proxmoxsme syslog]#
to undo, remove custom templates and restart syslog
Note on the test server i opened udp and tcp port 514, and forwarded incoming from 192.168.1.1 to localhost on the test server;
also created custom template on the test server :
mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/syslog
with fragment :
10NoMARKs
containing :
cat /etc/e-smith/templates-custom/etc/sysconfig/syslog/10NoMARKs
# we don't want the MARK ticks
SYSLOGD_OPTIONS="-r -m 0"
-
the link was a starting point......
Added to the wiki http://wiki.contribs.org/SYSLOG_Forwarding
@warren, thanks. Would you be able to check/verify the wiki content please?
TIA
guest
-
someone to try for sme9 ?
@hwang you battle me for the wiki editing :)
-
Added to the wiki http://wiki.contribs.org/SYSLOG_Forwarding
@warren, thanks. Would you be able to check/verify the wiki content please?
TIA
guest
May need to clarify this : ( add expanding of /etc/sysconfig/syslog )
The new templates need to be expanded by:
expand-template /etc/syslog.conf
expand-template /etc/sysconfig/syslog
-
May need to clarify this : ( add expanding of /etc/sysconfig/syslog )
Done, thanks.
-
Done, thanks.
@hwang
Thank you for adding this to the wiki / docs . All of us benefit from this :)