How to receive and store syslog entries over the network

MickKi · 4 May 2017 15:05

Hi All,

I want to use my AppletTV to capture and store syslog entries from other devices on my LAN. I am not overly familiar with systemd, so I thought of asking here first before I start installing more conventional loggers. What is the recommended way to achieve this?

Regards,
Mick

sam_nazarko · 4 May 2017 16:20

If all of your clients use systemd, then

sudo apt-get install systemd-journal-remote is probably the best way

Otherwise you can use rsyslogd which is quite popular.

There are other alternatives like Logstash too.

MickKi · 4 May 2017 17:20

Thanks Sam, none of the LAN clients use systemd. I was thinking of installing syslog-ng and logrotate. Is there anything in particular I would need to pay attention to when configuring these to co-exist happily with systemd?

Regards,
Mick

sam_nazarko · 4 May 2017 18:10

Not that I’m aware of. This is a bit beyond the scope of this forum however

Sam

MickKi · 5 May 2017 15:46

Yes, but only a little bit.

I installed syslog-ng which brought with it the necessary systemd service file and started syslog-ng. I had to add a configuration file to handle the incoming syslog entries:

$ cat /etc/syslog-ng/conf.d/remote.conf
source net { syslog(ip(192.168.1.25) transport (“udp”)); }; <==This won’t work!
source net { source net { udp(); }; <==Use this instead
destination remote { file(“/var/log/remote/${FULLHOST}-log”); };
log { source(net); destination(remote); };

Where 192.168.1.25 is the LAN address of the ATV server where the syslog-ng server is listening for connections from the syslog clients of LAN devices.

NOTE: Use this entry instead

source net { udp(); };

or syslog-ng will fail to start on a reboot if you specify an IP address to listen for connections. Perhaps it wants the ethernet interface to be up and running before it will start. Not sure.

Each LAN host sending its logs to the syslog-ng server will generate a log file prepended with its IP address within /var/log/remote/. I had to create the /var/log/remote directory manually and chown it to root:adm.

I have not yet installed logrotate or configured a cron job to rotate syslog-ng generated logs. Is this something that systemd will do on its own along with the journal file, or will it require my intervention?

Regards,
Mick

sam_nazarko · 5 May 2017 15:55

You need logrotate. The package sets up a systemd-timer

MickKi · 5 May 2017 17:15

Thank you Sam,

Installing logrorate brought cron with it, installed /etc/logrotate.d/syslog-ng and also set up a daily cron job. All I had to do is add an entry for /var/log/remote/*-log in /etc/logrotate.d/syslog-ng.

This looks good and was much simpler than I thought. Thank you for your help!

Regards,
Mick

PS. The only thing I noticed when installing logrotate was this message about update-rc.d:

Preparing to unpack …/logrotate_3.8.7-1+b1_i386.deb …
Unpacking logrotate (3.8.7-1+b1) …
Processing triggers for systemd (215-17+deb8u6) …
Setting up cron (3.0pl1-127+deb8u1) …
Adding group `crontab’ (GID 113) …
Done.
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Setting up logrotate (3.8.7-1+b1) …
Processing triggers for systemd (215-17+deb8u6) …

Does falling back to defaults means systemd unit files will be used to start cron?

sam_nazarko · 5 May 2017 19:08

No – it means the maintainer hasn’t provided a systemd unit for their package, so rc.d is effectively a legacy shim

It will all work fine