Syslog: Sending log from remote servers to syslog daemon

July 23rd, 2008 mysurface Posted in Admin, logger, nc, rsyslogd, syslogd, tail | Hits: 191193 | 2 Comments »

syslog is a standard for logging service in Linux, it usually run as daemon like syslogd or rsyslogd. Syslog daemon will be forward and store logs in /var/log directory, you may configure it to store at separate location if you want. (we will look into it later). And there is a major file that store majority of logs, which is messages. Therefore, you may want to monitor linux messages logs by tailing /var/log/message.

Logs entry may come from various services, applications, kernel as well as remote servers if you enabled your syslog daemon to accept remote logs submissions. Syslog protocol is now standardized within the Syslog working group of the IETF, and it is been defines in RFC 3164.

Rsyslog is an enhanced multi-threaded syslogd with a focus on security and reliability. I think newer linux distro already replace syslogd with rsyslogd. For more information you can check out the wikipedia.

In this post, I briefly explain the facility and log levels of syslog protocol, how to configure syslogd as well as rsyslogd to accept logs from remote and also how to send logs remotely.

Syslog categories logs into PRI which constructed by facility and severity/priority/log levels.

Facility defines the source of the log entries, what kind of services that send this logs. Lets look at Facility info that extracted from RFC 3164, each facility was been assign a numeric code.


    Numerical       Facility
          Code
           0             kernel messages
           1             user-level messages
           2             mail system
           3             system daemons
           4             security/authorization messages
           5             messages generated internally by syslogd
           6             line printer subsystem
           7             network news subsystem
           8             UUCP subsystem
           9             clock daemon
          10             security/authorization messages
          11             FTP daemon
          12             NTP subsystem
          13             log audit
          14             log alert
          15             clock daemon
          16             local use 0  (local0)
          17             local use 1  (local1)
          18             local use 2  (local2)
          19             local use 3  (local3)
          20             local use 4  (local4)
          21             local use 5  (local5)
          22             local use 6  (local6)
          23             local use 7  (local7)
 

Severity is the log levels that defines how critical of the log entries, from 0 – 7, 0 indicates the most critical and 7 is for debugging purpose.


    Numerical         Severity
          Code

           0       Emergency: system is unusable
           1       Alert: action must be taken immediately
           2       Critical: critical conditions
           3       Error: error conditions
           4       Warning: warning conditions
           5       Notice: normal but significant condition
           6       Informational: informational messages
           7       Debug: debug-level messages

PRI is a unique values constructed by facility and severity where severity takes 3 LSB (least significant bits) append with facility start from bit 4.

PRI = (facility << 3) + severity 

<< indicates left shift which I borrow it from c++ programming language, when I do left shift N its like multiply with 2^N(two to the power of N). In this context, PRI formula can be written as

PRI = (facility * 2^3) + severity 

PRI is important when you wanna send message to syslog, the default message PRI is user(1).notice(5) which the PRI value is 8 + 5 = 13. Meaning if you do not specified the PRI value, it will be treated as 13.

For common Linux distro, syslogd or rsyslogd should be started before you login to your system, you can verify that with ps.

ps aux| grep syslogd

Usually syslogd comes with distro does not configured to accept remote messages, unless -r is specified.

root      4232  0.0  0.0  13424   888 ?        Sl   Jul22   0:00 syslogd -m 0 -r

How to enable syslogd to accept remote message?
syslog will listening to UDP port 514 for messages sent remotely, but if your distro running rsyslogd, you can listen to TCP port and you may also need to specify the port number.

Different Linux distro may have different ways of configuration, let say if you are using Red hat based distro, your syslogd and rsyslogd configuration will be at /etc/sysconfig/syslog or /etc/sysconfig/rsyslog.

For the case of rsyslogd, change the SYSLOGD_OPTIONS in /etc/sysconfig/rsyslog from SYSLOGD_OPTIONS=”-m 0″ to SYSLOGD_OPTIONS=”-m 0 -r514″ for UDP and SYSLOGD_OPTIONS=”-m 0 -t514″ for TCP. For the case of syslogd, change it to SYSLOGD_OPTIONS=”-m 0 -r”.

After that, restart your syslog or rsyslog services, In Fedora or Red Hat, you may do this with root permission.

service syslog restart

Or you can just kill the syslogd process and start manually from console for testing.

rsyslogd -m 0 -r514

Syslog Configurations
syslog daemon includes a configuration files to specified which logs to keep and append it to which file based on the PRI stated above.

Below are the sample of /etc/rsyslog.conf


# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none        /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                                    /var/log/secure

# Log all the mail messages in one place.
mail.*                                                         /var/log/maillog

# Log cron stuff
cron.*                                                       /var/log/cron

You defines what messages goes to what file like this:

facility.severity         log_files

For example:

user.notice              /var/log/user.notice

The line above indicates that, when I get syslog message with facility user and severity notice, it will be append to file /var/log/user.notice.

For more info, please check out here.

How to send message to syslogd?
For sending locally, we can use the logger command. Before you send the message to syslog, lets tail the message log.

tail -f /var/log/messages

Now send “hello world” with logger.

logger "hello world"

It will appear in /var/log/messages as well as /var/log/user.notice if you have configure syslog.conf to forward user.notice messages to /var/log/user.notice. This proves that the default message’s PRI is user.notice. You may assign different PRI value to logger. For example if I wanna send message with PRI = user.info:

logger -p user.info "testing 123"

How to send log message to remote server?
Unfortunately, you can’t send through logger. But you can manually send a plain text UDP package to remote servers that listening on UDP port 514. With the help of netcat(nc), we can send the message to remote syslogd as simple as logger command.

nc -w0 -u 192.168.1.1 514 <<< "logging from remote"

To assign your message a PRI, you need to specified PRI’s value in numeric.
User.Info’s PRI value is:
(1 << 3 ) + 6 = 8 + 6 = 14. ( refers back the numerical code of facility and severity )

nc -w0 -u 192.168.1.1 514 <<< "<14>User Info msg from remote"

If your rsyslogd are listening to TCP port, just ignore -w0 and -u:

nc 192.168.1.1 514 <<< "<14>User Info msg from remote through TCP."

2 Responses to “Syslog: Sending log from remote servers to syslog daemon”

  1. Hello,

    I am interested in your post but I have a doubt. When you says this part…

    For the case of rsyslogd, change the SYSLOGD_OPTIONS in /etc/sysconfig/rsyslog from SYSLOGD_OPTIONS=”-m 0? to SYSLOGD_OPTIONS=”-m 0 -r514? for UDP and SYSLOGD_OPTIONS=”-m 0 -t514? for TCP. For the case of syslogd, change it to SYSLOGD_OPTIONS=”-m 0 -r”.

    In which file must I do the change? In rsyslog.conf or in syslog.conf, because i do the change and restart the syslogs but no effect results.

    Regards

  2. Gays,

    If you doesn’t have nc you can try :

    exec 3/dev/ucp/192.168.1.1/514 ; echo “User Info msg from remote” >&3

    Tks,

Leave a Reply