Hi there.
I’ve decided to create centralized logs server for my network to gather logs from the devices like routers and so on.
The long story short. To do this You need to install and enable syslog-ng package, configure it, open firewall port, create the folder for the logs, give it the right permissions and start the syslog-ng.
su
pacman -S syslog-ng
systemctl enable syslog-ng
Created symlink from /etc/systemd/system/syslog.service to /usr/lib/systemd/system/syslog-ng.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/syslog-ng.service to /usr/lib/systemd/system/syslog-ng.service.
To configure the syslog-ng as a remote server add this bit as a last lines in the /etc/syslog-ng/syslog-ng.conf file:
source s_net { udp(); };
destination remote { file("/var/log/remote/${FULLHOST}-log"); };
log { source(s_net); destination(remote); };
Here is my entire .conf file for You to have a look at.
Then (as root) run:
mkdir -p /var/log/remote/
chown -Rf root:log /var/log/remote/
Now open firewall port if needed.
systemctl start syslog-ng
IF You did everything correctly You should now have open port 514/UDP on the interface that is facing outwards.
su -c "nmap -sU -p 514 192.168.1.50"
Starting Nmap 6.47SVN ( http://nmap.org ) at 2014-10-30 11:06 GMT
Nmap scan report for 192.168.1.50
Host is up (0.00033s latency).
PORT STATE SERVICE
514/udp open|filtered syslogNmap done: 1 IP address (1 host up) scanned in 14.45 seconds
Now configure Your router to use external logs (if it supports it).
Voila…
tail -f /var/log/remote/192.168.1.254-log
Oct 30 11:11:43 192.168.1.254 syslog: category:”Sec_Account” detail:”User admin login from 192.168.1.50 successful”
Oct 30 11:11:44 192.168.1.254 syslog: category:”Sec_Account” detail:”User admin login from 192.168.1.50 successful”
Cheers.
Andrzej
