Setting Up A Log Host for Syslog

Let's suppose you have a device that has remote logging capabilities like the Switch TL-SG3210. In this case you may want to set up a machine on your local network to receive these log messages and store them permanently.

On Linux you have the choice between rsyslog and syslog-ng.

Syslog-ng Log Host on Arch Linux

https://wiki.archlinux.org/index.php/Syslog-ng#Configuring_as_a_loghost

With the following terminal commands you can set up your Arch Linux based machine as a log host. Log filenames will be based on the FQDN of the remote host, and located in /var/log/remote/:

su
# create the folder for the log files:
mkdir -p /var/log/remote/
# change syslog-ng's config to accept remote log messages :
cat << "EOF" >> /etc/syslog-ng/syslog-ng.conf
## Setup syslog-ng as a log host :
source net { udp(); };
destination remote { file("/var/log/remote/$FULLHOST"); };
log { source(net); destination(remote); };
EOF
# restart syslog-ng :
systemctl restart syslog-ng

Watching the Network Traffic for syslog messages

You can check for incoming syslog messages on the receiving host using tcpdump. More information to be found in this blog post.

 tcpdump -Xni eth0 port 514

Resources

Comments