sysklogd service

[BanditBBS]

Any way I can get this to work with sysklogd? Trying to add a couple log sources and both linux servers are running sysklogd for their syslog service. Tried the script install and it of course bombs out

[jolson]

syslogd/syslogkd:

Find your Syslogd configuration file, usually /etc/syslog.conf and add the following line at the end of the file:

Code: Select all

*.* @naglogserv-01.nagios.local:5544

Note: replace 'naglogserv-01.nagios.local' with the IP Address or DNS name of your Nagios Log Server system.

The above should be all that is required.

Let me know if you have any trouble. Thanks!

[BanditBBS]

I made that change and restarted the service. New log entries not showing up, here is the config file:

Code: Select all

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# NetWorker - DO NOT DELETE OR CHANGE THIS LINE
daemon.notice                   /dev/console
daemon.notice                   /nsr/logs/messages
daemon.notice                   operator
local0.notice                   /nsr/logs/summary
local0.alert                    root, operator
# NetWorker - DO NOT DELETE OR CHANGE THIS LINE
*.* @iss-chi-nag07.***.******.com:5544

[jolson]

Can you verify that the remote machine with sysklogd is capable of resolving the hostname for Nagios Log Server properly?

[BanditBBS]

I had to remove the :5544 to make it work(my log servers are listening on priv port as well).

Any idea why the :5544 didnt work?

[jolson]

All of the documentation that I have found states that the port at the end of your configuration should work fine. It might have to do with the input in question - 5544 by default uses a 'syslog' input - perhaps you could try sending your logs to a plain udp input?

On Nagios Log Server:

Code: Select all

udp {
type => 'testinput'
port => 8999
}

On your remote servers sysklogd conf file:

Code: Select all

*.* @iss-chi-nag07.***.******.com:8999

Be sure to open port 8999 in your Nagios Log Server firewall, and you could set up tcpdump to watch the port to ensure that traffic is arriving from your remote source.

Code: Select all

yum install tcpdump
tcpdump -n dst port 8999

[/s]

EDIT:
lmiltchev spoke to me about what I stated above, and spun up a test system - he experienced the same problem that you did, in that no custom port definition could be made.

I dug up the following documentation: http://www.rsyslog.com/integration-with ... d-syslogd/

Note that the listening port must be 514 as legacy syslogd (usually) does not support any other.

As stated, legacy syslog typically does not support exporting on anything other than UDP 514. I am guessing that's what's going on here, especially after reading through the sysklog man page - which does not mention any alternative port configuration directive.

What you can do is install a more up-to-date piece of logging software (rsyslog or syslog-ng) to output log data to a custom port. For now it looks like sysklogd does not support export on a custom port. I am still digging, I'll let you know what I find out.

[jolson]

BanditBBS,

I couldn't find anything definitive online, but every sysklogd package that I have tested has resulted in only being able to send data across UDP port 514. I am under the impression that this is a limitation of sysklogd - you might try installing rsyslog/syslog-ng on the server in question if you'd like to export to a custom port. Rsyslog has a good document on how to do this: http://www.rsyslog.com/integration-with ... d-syslogd/

[BanditBBS]

BanditBBS,

I couldn't find anything definitive online, but every sysklogd package that I have tested has resulted in only being able to send data across UDP port 514. I am under the impression that this is a limitation of sysklogd - you might try installing rsyslog/syslog-ng on the server in question if you'd like to export to a custom port. Rsyslog has a good document on how to do this: http://www.rsyslog.com/integration-with ... d-syslogd/

Thanks jolson. I have my log servers listening on 514, so not a big deal, especially since these couple hosts are customer prod machines I'm not going to install anything and can keep using port 514.

Thanks for looking so deeply into it.

[jolson]

No problem - are we good to close this thread?

[BanditBBS]

No problem - are we good to close this thread?

Sure thing!