How To Configure a Unix / Linux System To Log To eBuzzsaw

 

This document is divided into a short straightforward how to procedure, and a more detailed procedure for people curious about the specifics on how remote syslogging works or who have more complicated network configurations.

 

Quick Configuration Procedure

Configuring the /etc/syslog.conf file on each *nix system for remote logging...
    Edit /etc/syslog.conf and add the following line (make sure to use <tab> key to separate text in this file since this file only allows tab delimiters):

*.info                        @xxx.xxx.xxx.xxx

(Replace xxx.xxx.xxx.xxx with the IP address you've chosen for eBuzzsaw server.)
Click here to see a complete example of an /etc/syslog.conf file.)

Restart the syslog server so it reads the new syslog configuration file...
In order for the change in the syslog.conf file to take effect you will need to restart syslogd.  This can be accomplished by either rebooting the system, or finding the syslog startup script and stopping and starting it again.  The latter alternative in many *nix variants is accomplished by finding a file called something similar to "/etc/init.d/syslog" .  Change directory to where it's located and run the script as so:
    ./syslog stop       (This will kill the syslogd)
Now restart it by typing:
    ./syslog start       (When syslogd is started it will read the newly modified syslog.conf file and start remote logging to eBuzzsaw.)

Additional Note:  To fully utilize the benefit of a centralized log server like eBuzzsaw it is recommended that timestamp marking be turned on for each system forwarding logs.  To do so, please refer to the part below in the Detailed Configuration section titled: Configuring the syslog server to post timestamp "MARK" .

If your systems are already configured properly for your network, there should be no other steps necessary to start logging to eBuzzsaw.  Should there be any problems it is recommended you read through the more detailed procedure below for additional information.

 

 

More Detailed Configuration Procedure

Very Brief Overview
The syslog.conf file is the main configuration file for the syslog daemon (syslogd) which logs system messages on *nix systems.  This file controls where messages are logged.  For special features and full details see the syslog and syslogd man page for your system.  

Configuring syslog.conf File
In many *nix variants, the syslog.conf file is located in the /etc directory.  There may be many lines in the configuration file which are used for logging on the local system.  There may already be an entry for logging to remote host.  The entry may resemble the following line:

auth.*                        @hostname

or perhaps:

auth.*                        @xxx.xxx.xxx.xxx

Note: A hostname (fully qualified or not, is legitimate as well as using an IP address.)

In order to configure each system for remote logging to eBuzzsaw, edit /etc/syslog.conf and add the following line (make sure to use <tab> key to separate text in this file since this file only allows tab delimiters as white-space):

*.info                        @xxx.xxx.xxx.xxx

(Replace xxx.xxx.xxx.xxx with the IP address you've chosen for eBuzzsaw server.)
We are using the second to the highest level (info) for verbosity of logging information.  This is recommended as an industry standard system administration and security practice.
Click here to see a complete example of an /etc/syslog.conf file.)

Another alternative in very large networks with internal DNS, may be to add a DNS record for loghost and replace the IP address above with "@loghost".  In order for this to work you will need to modify your /etc/nsswitch.conf file line entry for hosts as follows:

hosts:        files dns

(Click here to see a complete example of an /etc/nsswitch.conf file.)

Note: This line above is priority dependent.  The example above is configured to have your system look up host address information from local system files (/etc/hosts) before trying to resolve it via DNS.  Because of this, you will also have to modify your /etc/hosts file so it no longer has the "loghost" alias listed; otherwise, it will use the IP address listed for the loghost entry there.

A third scenario would be to configure your /etc/hosts file to have a line entry for "loghost" with the address of your eBuzzsaw server.  The line may look like this:

xxx.xxx.xxx.xxx        loghost

(With this configuration and the above line in your /etc/nsswitch.conf file, it will first look in your /etc/hosts file for the entry for "loghost" and resolve the IP address there before looking it up in DNS.)

Restart the syslog server so it reads the new syslog configuration file...
In order for the change in the syslog.conf file to take effect you will need to restart syslogd.  This can be accomplished by either rebooting the system or finding the syslog startup script, stopping and starting it again.  The latter in many *nix variants is accomplished by finding a file called something similar to "/etc/init.d/syslog" .  Change directory to where it's located and run the script as so:
    ./syslog stop       (This will kill the syslogd)
Now restart it by typing:
    ./syslog start       (When syslogd is started it will read the newly modified syslog.conf file and start remote logging to eBuzzsaw.)

Configuring the syslog server to post timestamp "MARK" (heartbeat)...
A nice feature provided by many standard syslog servers in UNIX and Linux is an option that logs a mark timestamp at regular intervals.  The usefulness is in the ability to track whether a system is up and accessible.  If the system no longer sends a heartbeat to eBuzzsaw then you'll have a record of what period it seemed to stop logging.  This advantage also can be utilized by eBuzzsaw to report to you all servers currently on-line.  The
default interval between two -- MARK -- lines is 20 minutes. This can be changed with the "-m" option.  Depending on the criticality of your systems' uptime you may want to set the timestamps to a more frequent interval.  

To change or add the timestamp mark to each one of your systems you will need to determine how each hosts' local syslog server is started and modify or add the "-m" option accordingly.  In many UNIX systems, syslogd is started as mentioned above in a file such as /etc/init.d/syslog.  In this file there will be a line such as this:

    /usr/sbin/syslogd;

Change the line so syslog will print a timestamp every 15 minutes:

    /usr/sbin/syslogd -m 15;

Later versions of Linux now may be using a syslog configuration file like /etc/sysconfig/syslog.  In this file there may already be an options line for syslogd.  If your syslogd startup script uses this file then you may add a line such as this:

    SYSLOGD_OPTIONS="-m 15"

Another alternative are startup scripts that define a syslogd_options variable which may look just like the "SYSLOGD_OPTIONS" line above.  Simply add the "-m xx" value.  Be sure you stop and start the syslog daemon after you add/change the timestamp option in order to activate it!

 

 

APPENDIX
-----------------------------------------------------------------------------------------------------------------------------

Example /etc/syslog.conf File

----------------Beginning of /etc/syslog.conf File---------------------------
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                                                         /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                                       /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                                                                     /var/log/secure

# Log all the mail messages in one place.
mail.*                                                                                          /var/log/maillog


# Log cron stuff
cron.*                                                                                         /var/log/cron

# Everybody gets emergency messages
*.emerg                                                                                     *

# Save news errors of level critical and higher in a special file.
uucp,news.crit                                                                            /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                                                     /var/log/boot.log

# our eBuzzsaw Server.
*.info                                                                                        @209.29.32.182

----------------------End of /etc/syslog.conf File-----------------------------

 

 

Example /etc/nsswitch.conf File

----------------Beginning of /etc/nsswitch.conf File---------------------------

# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
#
# Example:
#passwd: files nisplus nis
#shadow: files nisplus nis
#group: files nisplus nis

passwd: files nisplus
shadow: files nisplus
group: files nisplus

hosts: files dns nisplus

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files nisplus
rpc: files
services: files nisplus

netgroup: files nisplus

publickey: nisplus

automount: files nisplus
aliases: files nisplus

----------------------End of /etc/nsswitch.conf File-----------------------------

 

 

-----------------------------------------------------------------------------------------------------------------------------
2001 - 2002 Sentry+ inc. All rights reserved.                                           v1.0