What Do I Need?
- A Dedicated or VPS Linux Server
- CentOS
- Putty
What is Syslog?
Syslog is an enormously useful standard for message logging. It facilitates the separation between software that generates messages. The system stores them and then the software reports and analyzes them and each message is labeled with a facility, which is a tag that indicates the software type that’s generated that message.
Syslog also includes an assigned severity level. If you’re running an increasingly larger and complex web server hosting operation then you should perhaps consider setting up a Syslog server, which will provide a centralized platform to manage, access, and monitor logs from a local system as well as remotely. If configured, of course.
- Pre-Flight Checks
- Check Syslog, portmap, xinetd services in system service it should be on:
setup Select System service from list [*]portmap [*]xinetd [*]syslog
- Restart the portmap service:
service portmap restart
- Restart the xinetd service:
service xinetd restart
- To ensure that these services remain active after a reboot you’ll need to use the chkconfig command:
chkconfig portmap on chkconfig xinetd on
- After the reboot, check the status of the services:
service portmap status service xinetd status
- Configuring Syslog
- Open the Syslog file:
nano /etc/sysconfig/syslog
- Locate the SYSLOGD_OPTIONS tag.
- Add the ‘-r’ flag in this tag to accept logs from clients.
‘-m 0’ disables ‘MARK’ messages.
‘-r’ enables logging from remote machines.
‘-x’ disables DNS lookups on messages with ‘-r’.
- After saving the file, you’ll have to restart the service with the service Syslog restart command.
service syslog restart
- Configure your Linux Client Server
- In order to enable the monitoring on the client server, we need to do a couple of edits. Ping from the log server and open the /etc/syslog.conf file:
nano /etc/syslog.conf
- Go to the end of the file and create an entry for your actual logging server by adding the user.* @ [logging_server_ip]:
- After saving the file you’ll have to restart the service.
service syslog restart
- Restart the client server so it can send an initial log entry to your Syslog server. Additionally, always remember that logs are generated when the client boots, so restart, don’t shut down.
reboot -f
- Check Client Logs on Log Server
- To check for the client server messages recorded on your new and amazing Syslog server, use the following command:
less /var/log/messages
- At the end of this file, you’ll see various logs from your client server.
Next Steps
Syslogs can get complex and humongous. Analyzing these servers for actionable intelligence can be a seriously challenging ordeal, even for the advanced user, and especially for the n00b. I’d recommend reviewing some of the free windows and Linux software readers out there available for intelligent reading of your logs. For example, there’s the fairly groovy Kiwi Syslog Server (Free Edition) by SolarWinds. Using a really simple and intuitive interface it uses a combination of sorting, coloring, and automatic categorization of certain key and important system events, so your focus is on what you want when you want it. Super useful. There’s also the really awesome Syslog Watcher by SnmpSoft. It’s a bit more complex RE layout than the Kiwi variant; however, personally, I find it a bit more business-like.
Conclusion
So why would you want the deep analysis capability on your servers and sites? Simple. Because if you know what usually happens, such as understanding when and how your servers log into your systems, you can use the logs and systems resource monitoring to spot unusual activity. What’s more, you can configure what the syslogd saves through the /etc/syslog.conf configuration file.
- To know further about best VPS hosting, click here.
