How can I receive syslog logs from a networked system?

I'd like to configure Ubuntu to receive logs from a DD-WRT router. The router's configuration screen contains the following section:

DD-WRT System Log

and its logging documentation reads:

If you wish to send logs to a remote system, enter the IP address of that machine which is also running a syslog utility (it needs an open network socket in order to accept logs being sent by the router).

I've never (knowingly) used syslog before. What do I need to do in Ubuntu to allow it to receive these logs?


Solution 1:

The host receiving the logs will need to be running some syslog daemon that is configured to listen for remote logs. There are a number of syslog implementations in Ubuntu, but rsyslog is typically recommended, and should be installed by default. I can't tell from the documentation in the link you posted if DD-WRT is sending logs via TCP or UDP, so it may require some experimentation to find precisely the correct settings, if you are concerned about reducing the number of network-accessible ports on your host.

There are two ways to enable this: the first is simpler, but may require re-integration when the system is upgraded. The second is slightly more complicated, and may cause confusing results if there are significant changes to the syslog configuration as part of an update. I would choose the second, but your preference may vary.

The first is to edit /etc/rsyslogd.conf, and remove the initial # from the following lines:

#$ModLoad imudp
#$UDPServerRun 514

or

#$ModLoad imtcp
#$InputTCPServerRun 514

The second is to create a new file, perhaps named local-enable-tcp.conf in /etc/rsyslog.d/, with the following contents:

# enable TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

If you want to use the separate file approach, and need UDP, change the contents to match the UDP stanza above. The specific filename is not important, but it is recommended to start it with "local-" as this namespace is reserved for local administrator configuration, and it must end with ".conf", as only files ending like this are automatically included in the rsyslog configuration.

If you would prefer to use another syslog implementation, check the configuration and documentation for that implementation: it is likely that the syslog daemon is configured not to listen on the network by default, but example configuration to enable this common case ought be clearly documented.

Solution 2:

Another option is use syslog-ng, easy to use, and so far ready to go!

sudo apt-get install syslog-ng

After install it, we have a conf file in /etc/syslog-ng/syslog-ng.conf So, just edit this .conf with our parameters, but before that, make a backup of default config file, can be usefull later if you want tunning some parameters

sudo mv /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.bak

Now create new config file and edit it!

sudo touch /etc/syslog-ng/syslog-ng.conf
sudo nano /etc/syslog-ng/syslog-ng.conf

So, just paste this basic config to get working as well:

# Listening to incoming UDP Syslog connections
source mysource { udp(); };

#Add the syslog targets:

destination dest { file("/var/log/Cisco$YEAR$MONTH$R_DAY.log"); };
#destination dest_other_server { udp("1.2.3.4" port(514)); };
#Create the filters that will be used to determine what to do with the received syslog message

#filter filter { ( host("2.3.4.5") and level(notice) and match("username=.*@domain\.local" value("MESSAGE") flags("utf8" "ignore-case")) ); };
filter myfilter { ( level(notice) ); };
#And putting it all together:

log { source(mysource); filter(myfilter); destination(dest);  };

Easy as you can see. Take care!