000028950 - B-1288 - Setting up and using a syslog server with the Appliance

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000028950
Applies ToAffected Versions: All Versions
ResolutionFirst set up the system that will collect the logs the "syslog server or just "log server". If your environment already has a log server skip to the second part of this document.
Setting up a log server on the appliance (all done as the root user)
1. Edit the /etc/sysconfig/syslog and change the SYSLOGD_OPTIONS options to:
 
SYSLOGD_OPTIONS="-m 0 -r -x"

2. Edit the /etc/sysconfig/iptables and add the syslogd port (514/udp) as in:
 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 514 -j ACCEPT

3. Edit the /etc/syslog.conf and add the items you wish to capture near the top. In this example we are using a central log called "enterprise.log"
 
*.emerg /var/log/enterprise.log

*.alert /var/log/enterprise.log

*.crit /var/log/enterprise.log

You can add any of the following:
 
0 - Emergency (emerg)
1 - Alerts (alert)
2 - Critical (crit)
3 - Errors (err)
4 - Warnings (warn)
5 - Notification (notice)
6 - Information (info)
7 - Debug (debug)

4. Restart the syslog and iptables
 
service iptables restart

service syslogd restart

Logging from the Aveksa Appliance to a central server
5. Edit the /etc/syslog.conf and send all messages to the syslog server
 
*.* @<syslog Server>

6. Add the syslog server to /etc/hosts:
6. Open the firewall port 514 edit the /etc/sysconfig/iptables

 
-A RH-Firewall-1-INPUT -p udp -m state --state NEW,ESTABLISHED -m udp --dport 514 -j ACCEPT

7. Restart the firewall and syslogd with the commands (use sudo if running as oracle):
 
service iptables restart

service syslogd restart

8. Test (done as oracle user) with this command:
 
logger -p mail.crit HelloWorld

If configured correctly the /var/log/enterprise.log on the syslog server will contain the line
 
Dec 3 14:29:30 192.168.20.86 oracle: HelloWorld

In this example we are loging crit,emerg and alert's so only those will be logged. Change item #3
if you wish to log other events. See the syslogd man page for additional help
 

Attachments

    Outcomes