[.CONF] Syslog-ng – configured to work as a remote logging server.

Hi there.

I’ve decided to create centralized logs server for my network to gather logs from the devices like routers and so on.

The long story short. To do this You need to install and enable syslog-ng package, configure it, open firewall port, create the folder for the logs, give it the right permissions and start the syslog-ng.


pacman -S syslog-ng

systemctl enable syslog-ng

Created symlink from /etc/systemd/system/syslog.service to /usr/lib/systemd/system/syslog-ng.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/syslog-ng.service to /usr/lib/systemd/system/syslog-ng.service.

To configure the syslog-ng as a remote server add this bit as a last lines in the /etc/syslog-ng/syslog-ng.conf file:

source s_net { udp(); };
destination remote { file("/var/log/remote/${FULLHOST}-log"); };
log { source(s_net); destination(remote); };

Here is my entire .conf file for You to have a look at.

Then (as root) run:

mkdir -p /var/log/remote/

chown -Rf root:log /var/log/remote/

Now open firewall port if needed.

systemctl start syslog-ng

IF You did everything correctly You should now have open port 514/UDP on the interface that is facing outwards.

su -c "nmap -sU -p 514"

Starting Nmap 6.47SVN ( http://nmap.org ) at 2014-10-30 11:06 GMT
Nmap scan report for
Host is up (0.00033s latency).
514/udp open|filtered syslog

Nmap done: 1 IP address (1 host up) scanned in 14.45 seconds

Now configure Your router to use external logs (if it supports it).



tail -f /var/log/remote/

Oct 30 11:11:43 syslog: category:”Sec_Account” detail:”User admin login from successful”
Oct 30 11:11:44 syslog: category:”Sec_Account” detail:”User admin login from successful”




"Never meet Your heroes. Most of the time you'll only end up disappointed." White Polak Male Husband Employee Hetero Carnivorous Fugly Geek @$$hole with ADD Catholic “Some men just want to watch the world burn.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.