Articles December 4, 2006 at 5:58 am

Syslog-ng as a replacement of Apple’s Syslog to centralyse logs

Syslog-ng can be used as a replacent for Apple's syslog. It gives the ability to filter logs on criterias others than just 'facility' as for example : name or IP address of the source machine.

Ed. Note: It's not really syslog that Apple includes in Tiger, but the Apple System Log, ASL. As of 10.4, however, all ASL did was essentially replicate syslog. As such you'll get some benefit from installing syslog-ng. However we hold out great hope that the promise of ASL will become a reality in future operating systems.

Installing syslog-ng is not so hard when you get the right sources.

  1. Prerequisites & dependencies
    1. Prerequisites
      • To compile sources, you need gcc. Install Apple's Xcode

    2. Dependencies
      • eventlog-0.2.5				 15-Jul-2006<br />pkg-config-0.21				28-Oct-2006<br />gettext-0.16.1				   27-Nov-2006<br />pkg-config-0.21				16-Aug-2006<br />glib-2.12.4				     02-Oct-2006 
  2. Install from sources sources
    1. Downloads
      • curl -O http://www.balabit.com/downloads/syslog-ng/2.0/src/eventlog-0.2.5.tar.gz<br />curl -O http://www.balabit.com/downloads/syslog-ng/2.0/src/syslog-ng-2.0.0.tar.gz<br />curl -O http://pkgconfig.freedesktop.org/releases/pkg-config-0.21.tar.gz<br />curl -O http://ftp.gnome.org/pub/GNOME/sources/glib/2.12/glib-2.12.4.tar.gz
      • ftp ftp.gnu.org<br />cd /gnu/gettext/<br />get gettext-0.16.1.tar.gz<br />quit<br /><br />
    2. Decompress
      • tar xzf eventlog-0.2.5.tar.gz<br />tar xzf syslog-ng-2.0.0.tar.gz<br />tar xzf pkg-config-0.21.tar.gz<br />tar xzf gettext-0.16.tar.gz<br />tar xzf glib-2.12.4.tar.gz

    3. Compile
      • Because of dependencies, you will have to respect this order :
      • gettext, eventlog, pkg-config, glib, syslog-ng
      • cd gettext-0.16.1<br />./configure &amp;&amp; make &amp;&amp; sudo make install<br /><br />repeat this step with all the sources but syslog-ng
      • For syslog-ng, if ./configure fails, try :
      • ./configure --enable-dynamic-linking make && sudo make install
      • syslog-ng takes place in /usl/local/sbin
    1. Configuring servers
      1. Configure destination server for syslog-ng
        • Syslog-ng needs a config file : etc/syslog-ng.conf
        • It's default place is /usr/local/etc when syslog-ng is stored in /usr/local/sbin
        • The config file contains 4 types of informations :
          • sources
          • filters
          • destinations
          • logs
        • to get more information on this : man syslog-ng.conf
        • source net { udp(); };		&lt;- networked source on port 514<br />				port can be changed with :<br />				udp(10514) for example<br /><br /># to deal with logs incoming from two distant servers, named<br /># volnay &amp; auxey, we can add the following lines :<br /><br /><br /><br />destination d_volnay { file(&quot;/var/log/mail/volnay.log&quot;); }; <br />destination d_auxey { file(&quot;/var/log/mail/auxey.log&quot;); }; <br /><br />filter f_volnay { host(&quot;volnay&quot;); }; <br />filter f_volnay { host(&quot;volnay&quot;); }; <br /><br />log { source(net); filter(f_volnay); destination(d_volnay); }; <br />log { source(net); filter(f_auxey); destination(d_auxey); }; 
        • incoming logs from volnay will be stored on the syslog-ng server in /var/log/mail/volnay.log
      2. Configuration source servers
        • No need to install syslog-ng on the source servers
        • You just need to modify /etc/syslog.conf
        • to take care of the distant syslog-ng server
        • mail.*	/var/log/mail.log	&lt;- stores mail logs localy<br />				in /var/log/mail.log<br /><br />mail.*	@tiger.domain.com	&lt;- send mail logs to the distant syslog server<br />				 &#39;tiger.domain.com<br />				on port 514<br />				<br />Port can be changed this way :<br />@tiger.domain.com:10514 for example<br />
      3. Modify syslog's startup script for syslog-ng
        • Syslog is launched Launchd (MacOS X Server 10.4)
        • The laucnhitem's plist file is :
        • /System/Library/LaunchDaemons/com.apple.syslogd.plist<br />
        • Make a copy of the original plist file and replace :
        •             /usr/sbin/syslogd<br /><br />with<br /><br />            /usr/sbin/syslogng <br />
        • After reboot of the syslog-ng server, verify the incoming logs :
        • tail -f /var/log/mail/volnay.log

No Comments

  • curl(1) understands ftp:// URLs as well as http:// URLs, so you can replace the
    ftp script above with

    curl -O ftp://ftp.gnu.org/gnu/gettext/gettext-0.16.1.tar.gz

    to match your first few lines.

  • Ok… So what I really want to do is setup a Syslog-ng Server to capture
    multiple logs from multiple servers, and store the different log types in
    different databases. Anyone have a method for this?

    ie:
    db1 contains System Logs
    db2 contains iChat Logs
    db3 contains afp Logs…

    etc…

  • From a developer’s point of view you have a point. ASL gives the
    people who create applications awesome new tools.

    From a sysadmin point of view the Tiger implementation of ASL just dumps
    the same basic info as the system log into a log with a different name. Yes
    the fun ASL keys and such are in that log, but the Console utility does
    nothing with them. No queries or anything like that. At that point you are
    just searching a text file in the same fashion of system.log.

    We see the promise of ASL, we really do. I can’t wait to see it dropping all
    that info in a database as discrete events that I can search like the
    Windows Event Viewer does. Until then though, from a sysadmin point of
    view, it’s just a copy of system.log.

    One thing I would like to see in ASL is centralized logging. That’s about the
    most common modification we see done with syslog.


    Breaking my server to save yours.

    Josh Wisenbaker
    http://www.afp548.com

Leave a reply

You must be logged in to post a comment.