Logging remote host to specific logfile with syslog-ng

News

Reviews

Forums

Post apocalyptic list

Misc

Visit our friends at:

Join QE!

Writers needed:
~~Los Angeles~~
Spain
Netherlands
Berlin
Belgium

Latest Reviews

Latest Forum Posts

PA News

Older News

Logging remote host to specific logfile with syslog-ng

15 comments
Email this

Posted on Wednesday, September 27th, 2006 18:22:24 GMT by: quietearth
Posted under: ubuntu syslog syslog-ng logging

I wanted to log messages from my openwrt router to a specific log file based on it's host/ip but unfortunately the regular syslog daemon will not allow this. So since I'm using ubuntu (edgy) I can easily install syslog-ng which is a pre-configured replacement for syslog/klog. First off install it, and it will remove the packages klogd, sysklogd, and ubuntu-minimal.
# apt-get install syslog-ng

Now we need to modify the configuration, edit /etc/syslog-ng/syslog-ng.conf, and first we need to add udp listening to accept remote syslogs. We could do this under the s_all source, but we need to define a different source so our remote hosts logs do not get mixed in with our regular ones. Place this after source s_all is finished.
source s_net { udp (); };

Now further down where logging starts, we need to first add a filter for our openwrt host and I will use it's ip to do this. Then we add a log file destination for that specific host. And after that we put in the log definition with our newly created source, our host filter, and our file destination.

filter f_openwrt { host( "192.168.1.1" ); };

destination df_openwrt { file("/var/log/openwrt.log"); };

log { source ( s_net ); filter( f_openwrt ); destination ( df_openwrt ); };

Go ahead and restart syslog-ng now:
# /etc/init.d/syslog-ng restart

Since we added a new logfile, we need to modify /etc/logrotate.d/syslog-ng. This will make sure our new logfile gets rolled. This entry has to go in before the last one which restarts the syslog-ng daemon. Here's what I put in:

/var/log/openwrt.log {

   rotate 7

   weekly

   missingok

   notifempty

   compress

}

Tested under Ubuntu edgy.

RSS Feed for comments

Comments

'apt-get install syslog-ng' on edgy does not work for me.. i get ... "Package syslog-ng is not available, but is referred to by another package." etc.

any ideas.. or what's the trick?

Posted by: Andy | November 16, 2006 12:05:10 pm | permalink

Make sure you have all of the repositories turned on, you can do this under Settings->Repositories in Synaptic. It's in one of the "universe" repositories.
I just tried this on a fresh edgy system with all repo's turned on and it works fine..

Posted by: quietearth | November 16, 2006 01:37:29 pm | permalink

Yup.. that fixed it. Now I can't get syslog to actually log anything from a remote host. The testing continues.

Posted by: Andy | November 21, 2006 03:41:05 pm | permalink

Are you sure you added the source s_net { udp(); }; line?

On the remote host you should be adding something like this in the /etc/syslog.conf:
*.* @hostname

where hostname is something valid, or you can just put an ip.

Posted by: quietearth | November 21, 2006 03:55:16 pm | permalink

You may also want to check to see if you have iptables running. If so, you need to a rule to allow udp 514.

"-A INPUT -m state --state NEW -p udp --dport 514 -j ACCEPT"

Posted by: claudijd | January 24, 2007 06:59:38 pm | permalink

Thank you very much for the terrific HowTo! I used your guide to configure my home system to log all of my VoIP gateway's SIP traffic, and it works perfectly. I appreciate the time you spent to write this up!

Posted by: MarkF | September 21, 2007 11:17:27 am | permalink

Very nice, see also: appreciated.

Posted by: Captain Pleased | April 28, 2008 07:34:39 pm | permalink

Thanks allot, I used my own filter to log cisco devices that log to local7 (default for cisco) to cisco.log

#Cisco Device Logs
filter local7 { facility( local7 ); };
destination cisco { file("/var/log/cisco.log"); };
log { source ( s_net ); filter( local7 ); destination ( cisco ); };

Posted by: Anonymous | March 12, 2009 12:58:18 pm | permalink

Great, concise tutorial on getting syslog-ng up and running. This is much easier than configuring syslogd.

Posted by: JR | July 30, 2009 09:20:35 am | permalink

Wow, amazing simple tutorial! I used my script to log some output of my firewall to Ubuntu. Sweet!

http://www.chiefs.at

Posted by: Chiefs Hockey | December 17, 2009 11:50:40 am | permalink

really useful - thanks.

Posted by: Anonymous | February 28, 2010 09:11:39 am | permalink

Great HOWTO!
For those who has problems with filtering by host...
AFAIK host() requires regexp that's why it didn't work for me (ubuntu 9.04; syslog-ng 2.0.9) - you have to change host filter to:
filter f_openwrt { host( "192.168.1.1" ); };
Good luck!

Posted by: cooba | March 10, 2010 08:32:41 am | permalink

OK - update to previous post...
You have to escape dots in IP address with backslash!!!
Apparently, this site does something strange with backslashes - that's why you can't see them in both original HOWTO and my post.
Still Great HOWTO!

Posted by: cooba_again | March 10, 2010 08:38:01 am | permalink

i had to use host("192.168.1.1$") why??

Posted by: Anonymous | April 13, 2010 05:14:25 pm | permalink

thx, just what i needed to get my dd-wrt device pushing logs to a central box.

Posted by: Anonymous | August 29, 2010 01:44:05 am | permalink

Name:	(default is Anonymous)
Contact:	(email or url, optional)
Comment:	(no html or bbcode)
Captcha:

News Reviews Forums Post apocalyptic list