Logging to a remote Linux syslog server

If you have every experienced the difficulty in not being able to read your log files, either because the hard drives have crashed, or the OS cannot be started, or your machine has been compromised, you may benefit from logging to a remote server.

To set up remote logging, you must make a single modification to the server. I’m speaking from RHEL 5, you may be using Debian, Ubuntu, or CentOS, or some other distribution. You may need to find more information about those distributions before continuing.

To begin, you must edit /etc/sysconfig/syslog, and change this line from:

SYSLOGD_OPTIONS=”-m 0″

And modify the line to:

SYSLOGD_OPTIONS=”-x -r -m 0″

-x disabled reverse DNS lookups, saving bandwidth, configuration hassles, and time

-r enabled listening to logs from other servers

On each client machine, you must edit /etc/syslog.conf and modify the last line to read something like:

mail.none;*.info        @syslog.example.com

syslog.example.com is the hostname, or ip address, of your remote logging server.

Restart both the server and client syslog daemons. From the client machine, run a test, similar to:

logger test 1 from client1.example.com

And on the server run:

tail /var/log/messages

Thanks to Enable remote logging with syslog

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Anti Spam by WP-SpamShield