Syslog is a logging protocol used by systems to send messages to the system’s logger. It is a standard network protocol and can be used by systems to send messages about events that have occurred on the system. syslog can be used to collect events from systems that are remote from the system that is logging them. syslog can be used to send messages about events that have occurred on the system. syslog can be used to collect events from systems that are remote from the system that is logging them. The following steps will help you collect server events remotely using syslog:
- Configure your syslog daemon on your system so it sends messages about server events to your logger. This step should be done before you start collecting server events using syslog. For more information, see Configure Your Syslog Daemon for Remote Collection of Server Events .
- Start your logger and send messages about server events using syslog. For more information, see Start Your Syslog Daemon for Remote Collection of Server Events .
- Collect data about server events using your logger and store it in a file or database. For more information, see Collect Data About Server Events Using Your Logger .
Have you ever wished that instead of having to manually login to a server in order to see the system log, the events would simply come to you? How-To Geek goes into how to setup a syslog collector.
Overview
Syslog is used on a variety of server/devices to give system information to the system administrator. Out it’s Wiki entry:
In order to tap that information, one could:
Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.
Connect to the server/device. Where the how, can change from device to device and if possible at all from where the administrator is in relation to the firewall protecting the asset. Find the Syslog file. Which could be in a slightly different location depending on the system/device being accessed. For example, on Debian this is “/var/log/syslog” and on DD-WRT its “/var/log/messages” (almost as if only to spite you…). Use an available file viewing utility. Again could be slightly different depending on what is available on the system. For example on Busybox the “less” utility isn’t the full GNU implementation and as such is missing the “Scroll forward” (+F) function.
The alternative would be to setup a Syslog collector and have the Syslog-ing servers/devices send the events to it.
Prerequisites & Assumptions
A device that supports remote Syslog-ing. In this article we will use DD-WRT as an example. Syslog uses port 514 UDP, and as such it must be reachable from the device sending the information to the collector. Some basic networking know how is assumed.
Setup the Syslog collector
In order to collect the events, one needs to have a Syslog server. While there are a multitude of options like “Kiwi” and “PRTG” to mention a few, we opted to use “Syslog Watcher“.
Note: It is recommended that the collecting server will use an IP that won’t change, either by statically assigning it or reserving it in DHCP.
Download the latest Syslog Watcher. Install in the regular “next -> next -> finish” fashion. Open the program from the “start menu”. When prompted to select the mode of operation, select: “Manage local Syslog server”. If prompted by Windows UAC, approve the administrative rights request. Start the service by clicking the huge “Play” button on the top left.
While you could further configure the program, for example, as shown in the video tutorials, you don’t have too and it is ready to roll.
Setup the Syslog sender
As stated above, we will use DD-WRT for this example. With that said, remote Syslog-ing is a capability supported by most self respecting devices/OSs. Consult the documentation as to how to set it up.
On DD-WRT:
Go to the webGUI and select “Services”. Check the Enable checkbox for “Syslogd”. In the Remote Server textbox, put the IP/DNS of the collecting server. Save & Apply for the settings to take affect.
That is it… your Syslog Watcher should start getting populated by system events.
For example, if you’ve implemented our “How to Remove Advertisements with Pixelserv on DD-WRT” guide, you will be able to see something like the below:
Enjoy :)
Don’t try to remotely operate any space bridges… :P