Just setup a syslog server in Ubuntu Linux to collect logs from firewall. To setup a syslog server in Ubuntu is easy, to setup a syslog server that collect remote logs is a bit tricky. FYI, once syslog server started, it is listening on the port 514 on UDP protocol. After few hours of testing, finally the syslog server is up and running. So here i share my experience on how to setup syslog server in Ubuntu Linux to everyone.
To setup syslog server in UBuntu Linux, follow the steps below:-
- First you need to make sure you are login as root, then stop the syslog service
/etc/init.d/sysklogd stop
- Open /etc/sysconfig/syslog with your favourite editor and look for the line below:-
SYSLOGD="-u syslog"
and edit the line to:-
SYSLOGD="-ru syslog"
- Now open /etc/default/syslogd file with your editor and look for
SYSLOGD=""
and change it to
SYSLOGD="-r"
** This is the steps that i miss previously and result the syslog server not listening for remote log. Other linux distro do not need to perform this step
- Restart the syslog service
/etc/init.d/sysklogd restart
- Now you need to configure the ubuntu firewall to allow the log sender IP. We assume the log sender is 192.168.0.100 and our ubuntu syslog server IP is 192.168.0.1. So, just enter the command below:-
iptables -I INPUT -p udp -i eth0 -s 192.168.0.100 -d 192.168.0.1 --dport 514 -j ACCEPT
** Remember to change the IP above to your server IP
- To check if your syslog is listening on port 514, run the command below:-
netstat -a | grep syslog
and you should see the line below, else your syslog is not listening for remote log.
udp 26880 0 *:syslog *:*
- Done. you just setup your syslog server in Unbuntu Linux. Happy logging 🙂
