SoCruel.NU

The domain that loves BSD

Home About Me Archive Contact

A central log host with syslog-ng on FreeBSD

syslog-ng is the Swiss army knife of log management. You can collect logs from any source, process them in real time and deliver them to wide range of destinations. It allows you to flexibly collect, parse, classify, rewrite and correlate logs from across your infrastructure. This is why syslog-ng is the perfect solution for the central log host of my (mainly) FreeBSD based infrastructure.

Requirements

The following requirements have to be in place to be able to implement what is described in this post:

  • an up to date FreeBSD system version 11.x or 12.x
  • this system is configured as a central syslog host using syslog-ng (version 3.25)
  • for this post it is assumed that the log host has IP address 10.20.30.101
  • the log host logs syslog messages for 1 week only with a separate log file for each weekday and each log file is overwritten after a week (please bare in mind that other configurations are possible with syslog-ng!)
  • the hosts which log to the log host use the FreeBSD syslog daemon

Install syslog-ng

We install the syslog-ng software on the FreeBSD system first:

# pkg install syslog-ng

Disable syslogd

In this second step we shutdown the standard FreeBSD syslogd and make sure it does not start at system boot:

# service syslogd stop
# sysrc syslogd_enable="NO"

Initial configuration of syslog-ng

syslog-ng can now be configured. To start the syslog-ng daemon at system start-up we issue the command:

# sysrc syslog_ng_enable="YES"

The syslog-ng daemon has a main configuration file called syslog-ng.conf. This configuration file resides in the /usr/local/etc directory.

A base configuration is done first. This base configuration takes care of the syslog-ng configuration of this host itself only (!). The configuration part which makes this host implementation a log host by being able to receive syslog messages from other hosts is described later in this post.

The syslog-ng base configuration in /usr/local/etc/syslog-ng.conf is in the the SoCruel base syslog-ng example configuration. You can use your favourite text editor to copy, edit and save it on your own box.

This is a rather straightforward base configuration. Please consult the syslog-ng manual page for a detailed explanation of all the configuration lines:

$ man 5 syslog-ng.conf

Now the syslog-ng can be started by typing:

$ sudo service syslog-ng start

Then check if it is running:

$ sudo service syslog-ng status
syslog_ng is running as pid 85846

Make this a log host

The last line of the base configuration (as discussed above) states:

@include "/usr/local/etc/syslog-ng/conf.d/"

This means that syslog-ng includes all the files in the given directory in its final configuration. Lets make sure this directory exists first:

$ sudo mkdir /usr/local/etc/syslog-ng/conf.d

Then, use your favourite editor to make a file called loghost.conf in this directory and add the following configuration:

source s_loghost
   {
      syslog(ip(10.20.30.101) transport("udp"));
   };

This configuration makes sure that syslog-ng listens on the specified IP address (10.20.30.101) using UDP port 514, such that it can receive syslog messages. Then please add:

filter f_all
   {
      level(debug..emerg) and not (program("devd") and level(debug..info));
   };

This configuration states that it logs all levels between debug and emerg but not messages from the program devd with levels between debug and info.

So for now the syslog-ng log host configuration listens on the IP address and has a filter.

Next is configuring where the log host saves its log files. This configuration saves logs for a week only with a separate log file for each weekday (Mon.log, Tue.log, etc.). Each log file is overwritten the next week automatically. Please be aware that a lot of other configurations are possible with syslog-ng! I leave this to the reader for now. So the log file (the destination) configuration in our loghost.conf file is:

destination d_daily
   {
      file("/loghost/dailylogs/$WEEKDAY.log"
         owner(root) group(wheel) perm(0600) dir_perm(0750) create_dirs(yes)
         template("$FULLDATE: $HOST ($FACILITY/$LEVEL) [$PROGRAM] $MSGONLY\n")
         template_escape(no)
         overwrite_if_older(514800) # overwrite if older than 6 days minus 1 hour
      );
   };

So what does the above configuration do:

  • it defines the destination of the log files (/loghost/dailylogs/$WEEKDAY.log, where $WEEKDAY is Mon, Tue, Wed, etc.)
  • the directory and log files are created automatically with the right owner and permissions
  • the syslog messages written to the $WEEKLY.log files use a templated log format
  • the log files can be overwritten when older than 6 days minus 1 hour

And then we have to tell syslog-ng to log it by adding the below to our loghost.conf file:

log
  {
    source(s_loghost);
    filter(f_all);
    destination(d_daily);
  };

After saving the loghost.conf file restart the syslog-ng daemon:

$ sudo service syslog-ng restart

Next is setting up our log clients.

Client setup

To forward all syslog messages from a FreeBSD client host using syslogd to our central syslog host we have the below line in the clients /etc/syslog.conf:

*.*            @10.20.30.101

Wrap up

This completes this post. In a follow up post a simple shell script is discussed which checks the logs of the log host periodically.

Resources

Some (other) resources about this subject:

Updated: January 7, 2020