syslog-ng.conf listen for remote servers
Okay, in my version of syslog-ng 3.5.6-2 (from standard Debian Jessie vanilla package), you have to do a couple things. First, leave this uncommented:
source s_src {
system();
internal();
};
Then change the s_net line to read:
source s_net { tcp(ip(0.0.0.0) port(514) max-connections (5000)); udp(); };
Now you have to modify a line to put remote host syslog logs in a certain place delineated by hostname so you can figure out which host syslog is which like:
destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };
Or if you want them all in the same file to analyze a single file just do:
destination d_syslog { file("/var/log/remotelogs/syslog"); };
Then put it all together like:
#log { source(s_src); filter(f_syslog3); destination(d_syslog); };
log { source(s_net); filter(f_syslog3); destination(d_syslog); };
Note the log entry for syslog now referenced S_NET as a source, rather than S_SRC. Now you can restart syslog-ng and see if it's listening like:
/etc/init.d/syslog-ng restart
netstat -plunt | grep syslog-ng
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 26853/syslog-ng
udp 0 0 0.0.0.0:514 0.0.0.0:* 26853/syslog-n
Related videos on Youtube
batflaps
Updated on September 18, 2022Comments
-
batflaps almost 2 years
I'm configuring /etc/syslog-ng/syslog-ng.conf on version 3.5.6-2 to listen to remote hosts on port 514 by changing the configuration like
#source s_src { # system(); # internal(); #}; # If you wish to get logs from remote machine you should uncomment # this and comment the above source line. source s_net { tcp(ip(127.0.0.1) port(514)); udp(); };
but when I comment out s_src, as I think it suggests like:
#source s_src { # system(); # internal(); #};
syslog-ng won't start due to config errors. If I just comment out these:
source s_src { # system(); # internal(); };
it starts, but won't log standard syslog messages from localhost. Is there some other directive I need to add in
source s_src
to get it to listen on port 514 for remote hosts?(Other possibly relevant lines in config)
log { source(s_src); filter(f_syslog3); destination(d_syslog); }; filter f_syslog3 { not facility(auth, authpriv, mail) and not filter(f_debug); }; destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };
-
batflaps over 5 yearsOkay, that helps, will look into it. Other relevant lines:
log { source(s_src); filter(f_syslog3); destination(d_syslog); };
anddestination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };
. The comments in the OP are the defaults in the config file. The version is the latest for Debian Jessie from repositories, though I may be able to upgrade distro to Stretch if needed.