Linux
HOW TO SETUP RSYSLOG TO LISTEN ON UDP AND TCP AND SAVE LOGS TO FOLDER BASED ON IP
 Testing with rsyslog server (syslog port 514 on udp and tcp), and pointing client at its ports. All of the ascii characters will show up as log messages
 apt-get install rsyslog
 vi /etc/rsyslog.conf (make sure conf like below)
 /etc/init.d/rsyslog restart
 root@debikos71:/var/log# cat /etc/rsyslog.conf
### THIS SHOWS HOW I CONFIGURED MY RSYSLOG FOR UDP AND TCP AND ALSO FOR EACH HOST TO SAVE INFO IN /var/log/<ip>/ ###
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$template FILENAME,”/var/log/%fromhost-ip%/syslog.log”
*.* ?FILENAME
### EVERYTHING BELOW IS TYPICAL DEFAULT CONFIG ###
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
*.emerg                         :omusrmsg:*
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

HOW TO ENABLE SYSLOG SERVER (from scratch – same as above instructions)

https://wiki.debian.org/DebianEdu/HowTo/syslog-ng

http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/

http://docs.openstack.org/trunk/openstack-ops/content/rsyslog_server_config.html

The old syslog software is syslog

Now the newer one is rsyslog, thats what my debikos machine has

vi /etc/rsyslog.conf

hit i to start writing

Unhash this part or add it in (For TCP):

$ModLoad imtcp

$InputTCPServerRun 514

 If you want UDP unhash this – leave it with a hashmark if you dont want it:

$ModLoad imudp

$UDPServerRun 514

 NOTE: whatever has a # is a comment

Add this last part in to get IPs:

# This one is the template to generate the log filename dynamically, depending on the client’s IP address.

$template FILENAME,”/var/log/%fromhost-ip%/syslog.log”

*.* ?FILENAME

  Save and quit with :wq!

/etc/init.d/rsyslog stop

/etc/init.d/rsyslog start

or

/etc/init.d/rsyslog restart

 or

service rsyslog stop

service rsyslog start

or

 service rsyslog restart

Leave a Reply

Your email address will not be published. Required fields are marked *