There are times when you need a central syslog server which collects system logs from various systems. In order to preserve logs in the case of a system compromise, for example, remote syslog’ing is a wonderful solution, where logs are sent to the remote syslog server the moment they are created on the client system. Even if the attacker removes the log directory on the compromised client system, copies of logs have already been moved over to the remote syslog server. Remote syslog’ing also provides for centralised log analysis and correlation, which can become a nightmare if done on a per host basis in a decentralised syslog enviornment.
This nice tutorial describes setting up remote syslog daemon as well as clients that connect to the remove syslog server.
Following the tutorial, I set up remote syslog on two Slackware boxes. On the system on which I wanted to set up the syslog server, I added the following piece of BASH code to /etc/rc.d/rc.syslog
syslogd_remote() {
if [ -x /usr/sbin/syslogd -a -x /usr/sbin/klogd ]; then
echo -n "starting sysklogd daemons: "
echo -n "/usr/sbin/syslogd "
/usr/sbin/syslogd -r -m 0
sleep 1
echo "starting kernel logger "
/usr/sbin/klogd -c 3 x
fi
}
'remote')
syslogd_remote
;;
*)
echo "usage $0 start|stop|restart|remote"
I restarted rc.syslog with the ‘remote’ argument, and headed over to the client system to set up syslog to send logs to the syslog server. I appended the following line just to /etc/syslog.conf
*.info;mail.none;authpriv.none;cron.none @remote_syslog_server_ip
Restarted rc.syslog, and I was done.