Centralized Logging using Syslog-NG & Splunk indexing / search

syslog-ng is an open source implementation of the Syslog protocol for UNIX and UNIX-like systems. It extends the original syslogd model with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features to syslog, like using TCP for transport.

UDP port 514 & therefore limited to 1024bytes

• FIFO Buffers (First In First Out)
• Rolling View of Logs
• Type of Named Pipe

Installing Syslog-ng
———————

– rpm -ivh http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.0.2/setups/rhel-5-amd64/syslog-ng-3.0.2-1.rhel5.amd64.rpm
Note: Syslog-NG will remove klogd (no probs)
– cd /opt/syslog-ng/etc/

– vi syslog-ng.conf  and copy the below config (modify according to your needs)

@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator’s guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#

# Global config
options {
chain_hostnames(0);
time_reopen(10);
time_reap(360);
log_fifo_size(2048);
create_dirs(yes);
perm(0640);
dir_perm(0755);
use_dns(no);
stats_freq(0);
};

######
# sources
source s_all {
# message generated by Syslog-NG
internal();
udp(ip(0.0.0.0) port(514));
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream(“/dev/log”);
# messages from the kernel
file(“/proc/kmsg” program_override(“kernel: “));
};

#Define filters
filter f_cisco_pix {
host(IP.OF.PIX.DEVICE);
};

# general filter
filter f_not_others {
not host(IP.OF.PIX.DEVICE)
and not program(MSWinEventLog);
};

# Destinations (FIFO Buffers)
destination d_cisco {
pipe(“/var/log/buffers/cisco”);
};

# general FIFO
destination d_gen_fifo {
pipe(“/var/log/buffers/syslog”);
};

# Archive
destination d_all {
file(“/var/log/arch/$MONTH$DAY$YEAR”);
};

# cisco log

log {
source(s_all);
filter(f_cisco_pix);
destination(d_cisco);
};

# general log
log {
source(s_all);
filter(f_not_others);
destination(d_gen_fifo);
};

# archive log
log {
source(s_all);
destination(d_all);
};

———————

then few more steps

• Creating the directory structure

# mkdir /var/log/arch
# mkdir /var/log/buffers

• Making the FIFO buffers
# mkfifo /var/log/buffers/cisco
# mkfifo /var/log/buffers/syslog

then restart syslog-ng server
# /etc/init.d/syslog-ng restart

Check your FIFO Buffers & Logfiles (/var/log/arch/*)
# cat /var/log/buffers/syslog

Client side:

rpm -ivh http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.0.2/setups/rhel-5-amd64/syslog-ng-client-3.0.2-1.rhel5.amd64.rpm

vi /opt/syslog-ng/etc/syslog-ng.conf

copy following client config

@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator’s guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#

options {
};

######
# sources
source s_local {
# message generated by Syslog-NG
udp(ip(127.0.0.1) port(514));
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream(“/dev/log”);
# messages from the kernel
file(“/proc/kmsg” program_override(“kernel: “));

};

######
# destinations
destination d_messages { file(“/var/log/messages”); };

filter notdebug { level(info…emerg); };
destination loghost { udp(“your syslog-ng server IP” port(514)); };

log {
source(s_local);
filter(notdebug);
destination(loghost);
destination(d_messages);
};

————————–
or Use the syslog service!
• *.* @Syslog Server

How are we gonna view this data?
Ans: Splunk

splunk> Splunk is a monitoring and reporting tool for IT system administrators with search capabilities. It consolidates logs, metrics, and other data from applications, servers and network devices into a searchable repository and can generate graphs, SQL reports, and alerts. It is intended to assist system administrators in the identification of patterns and the diagnosis of problems. Log files can be correlated across systems and software components which can help administrators uncover the cause analysis of system failures.

wget ‘http://www.splunk.com/index.php/download_track?file=3.4.10/linux/splunk-3.4.10-60883-linux-2.6-x86_64.rpm&ac=&wget=true&name=wget&typed=releases’

rpm -ivh splunk-3.4.10-60883-linux-2.6-x86_64.rpm

/opt/splunk/bin/splunk start