Refer the following (Implemented on sles)
By default SLES 9 uses syslogd, not Syslog-NG. The first step
required in building a loghost on SLES 9 is to enable Syslog-NG. To do
this, you must first stop syslogd by running /etc/init.d/syslogd stop
in a terminal. Next, enable syslog-NG by editing the file
/etc/sysconfig/syslog. Find this line:
SYSLOG_DAEMON="syslogd"
and replace it with this:
SYSLOG_DAEMON="syslog-ng"
Save the file and run SuSEconfig --module syslog-ng to update the system's
syslog configuration.
Configuring Loghost to Receive Log Messages
By default Syslog-NG is configured only to log messages from the
host it is running on. If you want a centralized loghost, you must
enable Syslog-NG to receive log messages from over the network. In this
article, we will leave the existing configuration of Syslog-NG in
place, so what we are doing won't change the logging that is already
setup on the host. However, we will add the ability to log hosts over
the network, so additional logging will come in from other hosts.
To enable Syslog-NG to receive syslog messages from network devices, you have
to edit /etc/syslog-ng/syslog-ng.in
and add some settings. The file is divided into sections called source,
destination, filter and log. On a standard SLES 9 installation, there
are some lines in the source section of that file that look like this:
#
# uncomment to process log messages from network:
#
# udp(port(514));
To enable network access to the server, assuming your loghost is located at
192.168.1.42, change these lines to look like this:
#
# uncomment to process log messages from network:
#
udp(port(514));
tcp(ip("192.168.1.42") port(5140) keep-alive(yes));
Notice that the pound sign in front of the UDP line has been removed, and the
tcp line has been added.
Next, a destination must be defined for network log messages, and a
log statement must be included to tell Syslog-NG how to use the
destination. Go to the bottom of the file, add a new line, and then add
the following lines.
# this is for separating out network hosts into individual log files.
destination std {
file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
owner(root) group(root) perm(0600) dir_perm(0700)
create_dirs(y\es)
);
};
log {
source(src);
destination(std);
};
This sample configuration will save log messages from each host in a separate
directory called /var/log/HOSTS/YEAR-MONTH/hostname/.
The messages will be split into logfiles based on the facility. The
standard facilities are auth, authpriv (for security information of a
sensitive nature), cron, daemon, ftp, kern, lpr, mail, news, security
(deprecated synonym for auth), syslog, user, uucp, and local0 to local7
(from the logger man page).
Once the lines have been added, save the file and then run
SuSEconfig --module syslog-ng again to make the configuration changes
take effect. Then, run /etc/init.d/syslogd start to start Syslog-NG.
The loghost is now ready to accept log messages from the network.
Configuring Logging to the Loghost from Network Servers
Now that the loghost is ready to receive log messages from hosts on
the network, you have to configure your hosts to send messages to it.
If the hosts are based on SLES 9 or OES Linux, you have to follow the
steps outlined above to enable Syslog-NG by editing /etc/sysconfig/syslog and
then running SuSEconfig. Don't forget to stop syslogd first by running
/etc/init.d/syslogd stop.
Then, you have to edit /etc/syslog-ng/syslog-ng.conf.in to tell the host to
send messages to the syslog server. Open the /etc/syslog-ng/syslog-ng.conf.in
file and go to the bottom of the file. Assuming your loghost is located
at the ip address 192.168.1.42, add the following lines:
# send everything to log host
destination loghost {
tcp("192.168.1.42" port(5140));
};
log {
source(src);
destination(loghost);
};
After making the changes, save the file and run SuSEconfig --module syslog-ng,
and then restart syslogd by running /etc/init.d/syslogd start. Now your host
should be configured to send all log messages to your log host.
You can test to see that it works by using the command-line utility
logger, which sends messages to the syslogd service. Logger is also a
great way to have your shell scripts or cron scripts send status
messages to the system log. To test to see if your server is configured
to send log messages to your loghost, run the following command.
logger user.warn this is a test logger message that should go to my loghost
Navigate the directories on your loghost to the /var/log/HOSTS/YEAR-MONTH/
directory. You should see a directory for your host. It will either be
a hostname or an IP address, depending upon whether reverse-lookup
works in your DNS environment. Inside that directory, you should find a
log file starting with user that contains your user.warn message.
More Documents
http://www.debianhelp.co.uk/syslog-ng.htm
http://sial.org/howto/logging/syslog-ng/
B.Sadhiq
--- On Sun, 8/2/09, jack <[email protected]> wrote:
From: jack <[email protected]>
Subject: [Linux_Mantra] (unknown)
To: [email protected]
Date: Sunday, 8 February, 2009, 12:04 PM
I want to set up a remote syslog server in which all
20 lnux syslog logs would be collected
The problem is that the all the servers syslog entries get collected in only
one file messages
i want to set it an a way the all logs of the servers should be created by
hostname
Is there a way
Add more friends to your messenger and enjoy! Go to http://messenger.
yahoo.com/ invite/
[Non-text portions of this message have been removed]
Check out the all-new Messenger 9.0! Go to http://in.messenger.yahoo.com/
[Non-text portions of this message have been removed]
