Check '/etc/syslog.conf' file for the configuration:
* Make sure the 'remote' is included in variable 'DESTINATION'.
* Make sure the variable 'REMOTE' is defined and put the right IP address of the remote syslog server
example:
DESTINATION="remote"
REMOTE=<ip-of-remote-host>:514
Restart the syslogd daemon after configuration.
- Settings of Ubuntu
Note: assuming 'rsyslog' is used as the syslog server.
Check '/etc/rsyslog.conf' file for the configuration:
* Make sure rsyslog accepts remote syslog message via UDP and TCP by uncommenting out below lines:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$TCPServerRun 514
Restart 'rsyslog' on Ubuntu after configuration. Now Ubuntu should be able to accept syslog message from target system.
- Customize the syslog on Ubuntu
1. Use simple log format
By default, the syslog message on Ubuntu includes timing, host, and application name as prefix. Sometimes it's annoying. Customize to use simple format without these message:
Change '/etc/rsyslog.conf' file to add a new line like this to define a new format:
$template SimpleFormat,"%msg:::drop-last-lf%\n"
Now you can change '/etc/rsyslog/50-default.conf' to use this format.
2. Use separate log file for particular application or host
You may want to use separate log file for your own application, or for message from particular host. This can be done by adding configure to '/etc/rsyslog/50-default.conf' like this:
if $programname == 'controller' then /var/log/controller.log;SimpleFormat
if $HOSTNAME != 'localhost' then /var/log/board.log;SimpleFormat
The first line makes the rsyslog daemon to use separate file '/var/log/controller.log' for all messages from application named 'controller' using the simple format defined above.
The second line makes the rsyslog daemon to use separate file '/var/log/board.log' for all message coming from remote machines using the simple format defined above.
* Make sure the variable 'REMOTE' is defined and put the right IP address of the remote syslog server
example:
DESTINATION="remote"
REMOTE=<ip-of-remote-host>:514
Restart the syslogd daemon after configuration.
- Settings of Ubuntu
Note: assuming 'rsyslog' is used as the syslog server.
Check '/etc/rsyslog.conf' file for the configuration:
* Make sure rsyslog accepts remote syslog message via UDP and TCP by uncommenting out below lines:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$TCPServerRun 514
Restart 'rsyslog' on Ubuntu after configuration. Now Ubuntu should be able to accept syslog message from target system.
- Customize the syslog on Ubuntu
1. Use simple log format
By default, the syslog message on Ubuntu includes timing, host, and application name as prefix. Sometimes it's annoying. Customize to use simple format without these message:
Change '/etc/rsyslog.conf' file to add a new line like this to define a new format:
$template SimpleFormat,"%msg:::drop-last-lf%\n"
Now you can change '/etc/rsyslog/50-default.conf' to use this format.
2. Use separate log file for particular application or host
You may want to use separate log file for your own application, or for message from particular host. This can be done by adding configure to '/etc/rsyslog/50-default.conf' like this:
if $programname == 'controller' then /var/log/controller.log;SimpleFormat
if $HOSTNAME != 'localhost' then /var/log/board.log;SimpleFormat
The first line makes the rsyslog daemon to use separate file '/var/log/controller.log' for all messages from application named 'controller' using the simple format defined above.
The second line makes the rsyslog daemon to use separate file '/var/log/board.log' for all message coming from remote machines using the simple format defined above.
I really appreciate information shared above. It’s of great help. If someone want to learn Online (Virtual) instructor lead live training in IBM QRADAR SIEM , kindly contact us http://www.maxmunus.com/contact
ReplyDeleteMaxMunus Offer World Class Virtual Instructor led training On IBM QRADAR SIEM. We have industry expert trainer. We provide Training Material and Software Support. MaxMunus has successfully conducted 100000+ trainings in India, USA, UK, Australlia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain and UAE etc.
For Demo Contact us.
Saurabh Srivastava
MaxMunus
E-mail: saurabh@maxmunus.com
Skype id: saurabhmaxmunus
Ph:+91 8553576305 / 080 - 41103383
http://www.maxmunus.com/