FreeBSD Centralised Logging

Sun 28 January 2007, tagged: FreeBSD

NOTE: This is an old article I wrote in January 2007, it’s still relevant today. It was originally posted on luckydonkey.com which I am in the process of retiring.

I wanted to log everything from my servers and router to a singer server to make it easier to keep up. Here are the steps I went through.

Edit syslog.conf

I’m using bonobo.local as my syslog server. Start by editting /etc/syslog.conf. At the first line that isn’t a comment (first line that doesn’t start with a #) insert + so for me I added +bonobo.local

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#$FreeBSD: src/etc/syslog.conf
+bonobo.local
*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                      /var/log/security
auth.info;authpriv.info                         /var/log/auth.log
mail.info                                       /var/log/maillog
... <snip> ...
!ppp
*.*                                             /var/log/ppp.log

then at the bottom of the file add the name of the client machine, for me this was hypnotoad.local:

1
2
3
!*
+hypnotoad.local
*.*                                             /var/log/hypnotoad.log

there are some funny characters in here that complicate matters.

!* resets the target. A few lines up the default syslog.conf has the line !ppp this tells the syslog daemon that all the following rules only apply to ppp messages. Putting !* tells the syslog daemon that all the following rules match all messages.

+hypnotoad.local tells the syslog daemon that the following rules relate to the machine mentioned.

*.* <tab> <filename> tells the syslog daemon to log anything from the afore mentioned machine to the logfile ‘filename’

For security reasons the syslog daemon won’t start appending (logging) to a file that DOESN’T exist when it starts so you must create the files before restarting the syslog daemon.

1
sudo touch /etc/log/hypnotoad.log

Edit /etc/rc.conf

edit /etc/rc.conf and append the line

1
syslogd_flags=""

This looks odd. Why deliberately pass in empty flags? Because /etc/defaults/rc.conf has

1
syslogd_flags="-s"

The -s option stops syslog from listening for external logging messages. This caught me out first time I tried to do this

Now restart syslog

1
sudo /etc/rc.d/syslogd restart

you should see a few lines about syslog stopping and starting again.

Setting up the clients

On each client make a backup of the original /etc/syslog.conf file and edit the original to include a single line

1
2
#$FreeBSD: src/etc/syslog.conf
*.*     @bonobo.local

replacing bonobo.local with the name / ip address of your logging server. restart your syslog server:

1
sudo /etc/rc.d/syslogd restart

try out the logging with

1
logger "hello from my syslog client"

the message “hello from my syslog client” should appear in the syslog servers log file for the machine you are changing.