Thursday, May 8, 2014

Install Syslog Server (Syslog-ng) on CentOS

Syslog-NG and CentOS 6.x


Requirements:

  • CentOS 6.x (or other Redhat based flavor)
  • Internet Connectivity
  • chkconfig (yum install chkconfig)
  • wget (yum install wget)

Installation:

Install the prerequisite first.
 # yum install chkconfig wget

Install EPEL Repositories:
  1. Login to your server as root (or su root)
  2. Type: cd /root
  3. Type (Current link as of this post):
#wget http://dl.fedoraproject.org/pub/epel/6Server/i386/epel-release-6-8.noarch.rpm
 #rpm -Uvh /root/epel-release-6-8.noarch.rpm
#yum repolist
Install Syslog-NG:
 Run update check:
 #yum check-update
To see if this will impact any other software on your system.
Check the availability of Syslog-NG by typing:
yum list *syslog-ng*

Configure CentOS Services, Stop Rsyslog, and Start Syslog-NG:
Disable rsyslog: 
#chkconfig rsyslog off
Confirm rsyslog is disabled:
#chkconfig syslog-ng on

service rsyslog stop
service syslog-ng start
  1. Example Configuration for Syslog-NG:
    1. Add the following to the END of /etc/syslog-ng/syslog-ng.conf:
      # My Switches
      source s_navneet { 
              udp(ip(0.0.0.0) port(514));
              tcp(ip(0.0.0.0) port(514)); 
      };
      
      destination d_navneet {
              file(
                      "/var/log/navneet/$HOST-$YEAR$MONTH$DAY.log"
                      perm(644)
                      create_dirs(yes)
              );
      };
      
       
      log { source(s_navneet); destination(d_navneet); };
      This will basically take ALL (udp/tcp 0.0.0.0) syslog data and place it into /var/log/navneet. The names of the files are based off the host name and date. For example, if you have switch named MYSWITCH and the current date is May 8th, 2014… the full path and file name would be: /var/log/navneet/nrathi-VBox-20140508.log
    2. *** DO NOT modify any other portion of the file unless you are certain you know what you are doing!
    3. Restart the syslog-ng service to implement changes:
      [root@myserver syslog-ng]# service syslog-ng restart
      Stopping syslog-ng:                                        [  OK  ]
      Starting syslog-ng:                                        [  OK  ]
    4. Delete Old Syslog-NG Files:
    5. Login as root Type:  
    6. crontab -e
    7. Add the following to your crontab file:
# Delete Old Syslog Files
# 3 AM, Every Sunday
0 3 * * 0 /usr/bin/find /var/log/cisco -maxdepth 1 -mtime 90 -name *.log -exec rm {} \;
Change the "90" to your desired number of days.