How can I receive syslog logs from a networked system?
Solution 1
The host receiving the logs will need to be running some syslog daemon that is configured to listen for remote logs. There are a number of syslog implementations in Ubuntu, but rsyslog is typically recommended, and should be installed by default. I can't tell from the documentation in the link you posted if DD-WRT is sending logs via TCP or UDP, so it may require some experimentation to find precisely the correct settings, if you are concerned about reducing the number of network-accessible ports on your host.
There are two ways to enable this: the first is simpler, but may require re-integration when the system is upgraded. The second is slightly more complicated, and may cause confusing results if there are significant changes to the syslog configuration as part of an update. I would choose the second, but your preference may vary.
The first is to edit /etc/rsyslogd.conf, and remove the initial # from the following lines:
#$ModLoad imudp #$UDPServerRun 514
or
#$ModLoad imtcp #$InputTCPServerRun 514
The second is to create a new file, perhaps named local-enable-tcp.conf in /etc/rsyslog.d/, with the following contents:
# enable TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
If you want to use the separate file approach, and need UDP, change the contents to match the UDP stanza above. The specific filename is not important, but it is recommended to start it with "local-" as this namespace is reserved for local administrator configuration, and it must end with ".conf", as only files ending like this are automatically included in the rsyslog configuration.
If you would prefer to use another syslog implementation, check the configuration and documentation for that implementation: it is likely that the syslog daemon is configured not to listen on the network by default, but example configuration to enable this common case ought be clearly documented.
Solution 2
Another option is use syslog-ng, easy to use, and so far ready to go!
sudo apt-get install syslog-ng
After install it, we have a conf file in /etc/syslog-ng/syslog-ng.conf So, just edit this .conf with our parameters, but before that, make a backup of default config file, can be usefull later if you want tunning some parameters
sudo mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak
Now create new config file and edit it!
sudo touch /etc/syslog-ng/syslog-ng.conf
sudo nano /etc/syslog-ng/syslog-ng.conf
So, just paste this basic config to get working as well:
# Listening to incoming UDP Syslog connections
source mysource { udp(); };
#Add the syslog targets:
destination dest { file("/var/log/Cisco$YEAR$MONTH$R_DAY.log"); };
#destination dest_other_server { udp("1.2.3.4" port(514)); };
#Create the filters that will be used to determine what to do with the received syslog message
#filter filter { ( host("2.3.4.5") and level(notice) and match("username=.*@domain\.local" value("MESSAGE") flags("utf8" "ignore-case")) ); };
filter myfilter { ( level(notice) ); };
#And putting it all together:
log { source(mysource); filter(myfilter); destination(dest); };
Easy as you can see. Take care!
Related videos on Youtube
11 : 21
08 : 03
07 : 45
06 : 15
02 : 43
Comments
-
RusGraf over 1 year
I'd like to configure Ubuntu to receive logs from a DD-WRT router. The router's configuration screen contains the following section:
and its logging documentation reads:
If you wish to send logs to a remote system, enter the IP address of that machine which is also running a syslog utility (it needs an open network socket in order to accept logs being sent by the router).
I've never (knowingly) used syslog before. What do I need to do in Ubuntu to allow it to receive these logs?
-
Admin almost 11 yearsMy Motorola Surfboard Extreme SBG901 seems to have similar settings to your DD-WRT. Just thought I'd add that keyword for others googling for this q/a.
-
-
enzotib almost 13 yearsAvoid to post the address of an old guide, without even check if their instructions are still valid. The files named in the guide do not exist anymore. Ubuntu uses rsyslog.
-
enzotib almost 13 yearsIt should be a good idea to start the name of the file with a two digits number, the establish the order with respect to other existing .conf files.
-
Emmet Hikory almost 13 yearsHeh, well that can be complicated. There's no reason a package name can't start with a two digit number, and .d/${package}-.conf are all reserved to the packages (although one is unlikely to have conflict for e.g. 72-local-myconf.conf). Secondly, it's important to try to write configuration files such that the order isn't critical. For example, a configuration file provided by 0access.conf from the hypothetical "0access" package would be applied before most configuration files starting with a two digit number.
-
hobs almost 11 yearsAlso may need to change the ownership of your log file:
sudo chown syslog:adm /var/log/syslogor whatever you've named your log file. -
ghoti over 10 years@enzotib - While I agree that it lacks quality and that links should be avoided, it turns out that this answer provided exactly what I needed to achieve the same task on an Ubuntu 8.04 server. There are three answers here, all for three different variations of syslog that are still being used in production systems. This answer was useful. It gets a +1 from me.
-
Dessa Simpson over 7 yearsThat is true but this is basically a link only answer.
