A linux machine has a logging system which keeps track of what everything is doing. Anytime you authorize with sudo it gets logged. Anytime you (or someone else) connects via ssh it gets logged. Apache logs connections, mail servers log emails sent and refused. Pretty much everything keeps a log of what it is doing so you can later troubleshoot it or simply have a record of it.For those that are security minded it may not be a bad idea to keep duplicate of your logs by sending them not only to the local machine but to a remote machine as well. This way, even if an attacker is able to get into the first machine his steps are logged remotely before he is able to clear them on the local machine. This, of course, has a number of other valuable uses. In any event, here are a few quick steps to set it up.
/etc/syslog.conf
This file is the main “what gets logged and where” file for your system. If you take a look at it you’ll see that it takes different types of logs and writes them to the appropriate files. Mail here. Cron there. etc. We can easily tell the system to send the logs elsewhere with the following:
*.* @192.168.0.5 (replace with your log-server IP)
This will send *everything* to the remote machine to be filed in the appropriate place.
or
*.level | level.* @192.168.0.5 (replace, again, with your log-server IP)
This will send just the appropriate log type (just mail, cron, etc) to the remote server. Follow the same syntax seen in the existing file to go this route.
/etc/default/syslogd
This file is the system logging daemon configuration. This is where we’ll tell the remote machine to listen for and accept logs. As you see from one of the comments you simply need to add the “-r” to the SYSLOGD=”” field. Example:
SYSLOGD="-r"
Once you have made these changes both on the local (/etc/syslog.conf) and on the remote (/etc/default/syslogd) you’ll need to restart those services with the following command:
sudo /etc/init.d/sysklogd restart
At this point you should be able to view the logs on the remote machine (perhaps using “tail -f /var/log/[logfile]”) and see logs identified from another hostname. Ohh, and you can send *.* from A to B and *.* from B to A and it wont cause an endless loop. This way both machines have backups.
Pingback: University Update - Linux - Configure Local and Remote System Logging : Ubuntu
FYI, this doesn’t work with Dapper. You have to modify /etc/init.d/sysklogd in order to all for remote logging. The line to change looks like
SYSLOGD=”-u syslog”
add a -r to that and you are good to go.
Pingback: Smith Data Processing Services » Blog Archive » links for 2007-08-06
Take the parenthetical remarks out of the code tags, please.
Note that you can use a @hostname in place of the @IP.
Thanks for this post, it’s very useful!