From 902c48c6a0505d0fc91776ebebe3d68d3a8b9218 Mon Sep 17 00:00:00 2001 From: Dru Lavigne Date: Fri, 31 Jan 2014 23:29:13 +0000 Subject: [PATCH] First 1/2 of syslogd section. Tighten wording and clarify unclear bits. Sponsored by: iXsystems --- .../handbook/network-servers/chapter.xml | 122 ++++++++---------- 1 file changed, 52 insertions(+), 70 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml index 93bba57175..5bda47ccbf 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml @@ -5422,117 +5422,99 @@ driftfile /var/db/ntp.drift Interacting with system logs is a crucial aspect of both security and system administration. Monitoring the log files of - multiple hosts can get very unwieldy when these hosts are - distributed across medium or large networks, or when they are - parts of various different types of networks. In these cases, - configuring remote logging may make the whole process a lot more - comfortable. - - Centralized logging to a specific logging host can reduce - some of the administrative burden of log file administration. - Log file aggregation, merging and rotation may be configured in - one location, using the native tools of &os;, such as - &man.syslogd.8; and &man.newsyslog.8;. In the following example - configuration, host A, named + multiple hosts can become unwieldy as the number of systems increases. + Configuring centralized logging can reduce + some of the administrative burden of log file administration. + + Centralized log file aggregation, merging, and rotation can be configured + using &os; native tools, such as + &man.syslogd.8; and &man.newsyslog.8;. This section demonstrates an example + configuration, where host A, named logserv.example.com, will collect logging information for the local network. Host B, named logclient.example.com will - pass logging information to the server system. In live - configurations, both hosts require proper forward and reverse - DNS or entries in - /etc/hosts. Otherwise, data will be - rejected by the server. + class="fqdomainname">logclient.example.com, will be configured to + pass logging information to the logging server. Log Server Configuration - Log servers are machines configured to accept logging - information from remote hosts. In most cases this is to ease - configuration, in other cases it may just be a better - administration move. Regardless of reason, there are a few - requirements before continuing. - - A properly configured logging server has met the following - minimal requirements: + A log server is a system that has been configured to accept logging + information from other hosts. Before configuring a log server, check the following: - The firewall ruleset allows for UDP - to be passed on port 514 on both the client and - server; + If there is a firewall between the logging server and + any logging clients, ensure that the firewall ruleset allows UDP + port 514 for both the clients and the + server. - syslogd has been configured to - accept remote messages from client machines; - - - - The syslogd server and all client - machines must have valid entries for both forward and - reverse DNS, or be properly configured - in /etc/hosts. + The logging server and all client + machines must have forward and reverse entries in + the local DNS. If the network does not have + a DNS server, create entries in each system's + /etc/hosts. Proper name resolution is required + so that log entries are not rejected by the logging server. - To configure the log server, the client must be listed - in /etc/syslog.conf, and the logging - facility must be specified: + On the log server, edit + /etc/syslog.conf to specify the name of + the client to receive log entries from, the logging + facility to be used, and the name of the log to store the + host's log entries. This example adds the hostname of + B, logs all facilities, and stores + the log entries in /var/log/logclient.log. + + + Sample Log Server Configuration +logclient.example.com *.* /var/log/logclient.log + - - More information on various supported and available - facilities may be found in + When adding multiple log clients, add a similar two-line entry + for each client. More information about the available + facilities may be found in &man.syslog.conf.5;. - - Once added, all facility messages will - be logged to the file specified previously, - /var/log/logclient.log. - - The server machine must also have the following listing - placed inside /etc/rc.conf: + Next, configure /etc/rc.conf: syslogd_enable="YES" syslogd_flags="-a logclient.example.com -v -v" - The first option will enable the - syslogd daemon on boot up, and the second - option allows data from the specified client to be accepted on - this server. The latter part, using , - will increase the verbosity of logged messages. This is - extremely useful for tweaking facilities as administrators are - able to see what type of messages are being logged under which + The first entry starts + syslogd at system boot. The second + entry allows log entries from the specified client. + The + increases the verbosity of logged messages. This is + useful for tweaking facilities as administrators are + able to see what type of messages are being logged under each facility. Multiple options may be specified to allow logging from multiple clients. IP addresses and whole netblocks may also be specified. Refer to - &man.syslog.3; for a full list of possible + &man.syslogd.8; for a full list of possible options. - Finally, the log file should be created. The method used - does not matter, but &man.touch.1; works great for situations - such as this: + Finally, create the log file: - &prompt.root; touch - /var/log/logclient.log + &prompt.root; touch /var/log/logclient.log - At this point, the syslogd daemon + At this point, syslogd should be restarted and verified: &prompt.root; service syslogd restart &prompt.root; pgrep syslog - If a PID is returned, the server has - been restarted successfully, and client configuration may - begin. If the server has not restarted, consult the - /var/log/messages log for any - output. + If a PID is returned, the server + restarted successfully, and client configuration can + begin. If the server did not restart, consult + /var/log/messages for the error.