Forwarded with permission.
--
Beartooth the Stubborn <karhunhammas (at) lserv.com>
Double Retiree, Linuxer's Apprentice, Curmudgeon On Line
Keep in mind that I have little idea whereof I speak.
---------- Forwarded message ----------
Date: Fri, 13 Dec 2002 13:48:35 -0500 (EST)
From: Vincent Rivellino <vrivelli@cs.vt.edu>
Reply-To: vtluug@vtluug.org
To: vtluug@vtluug.org, rvglug@rvglug.org
Subject: [VTLUUG] to all ye *nix admins ...
Anyone out there have a bunch of Linux/UNIX workstations and/or servers
logging to a log server? I have about ten here logging to a system
dedicated for accepting remote syslog messages. I set this machine up
over a year ago using the system's syslog daemon to accept remote
connections.
However, I found that message archival wasn't what I wanted. For example,
kernel messages from all hosts would end up in /var/log/messages. I
wanted to be able to separate the messages in to different log files (and
directories) based on the remote host sending the log message. So I
initially wrote a shell script to parse the logs daily.
I wasn't really satisfied with that solution, so I did some searching
online for a free/open-source solution that separated logs based on the
source address. I couldn't find anything.
Finally, I decided to write my own. So, in the spirit of Christmas, it's
time that I share my work with anyone else who could use it.
I call it rsyslogd: http://people.cs.vt.edu/~vrivelli/rsyslogd/
The README file is below; it has more information about how it works. I
am pretty satisfied with it as a log server. Let me know if you use it
and have any suggestions, comments, or flames.
-Vince
----------------------------------
Vincent Rivellino
UNIX Systems Engineer
Department of Computer Science
Virginia Tech
Email: vrivelli@cs.vt.edu
Office: 112 McBryde Hall
Office Phone: (540)231-3167
********************************* README **********************************
Remote Syslog Archiver
http://cuz.cx/projects/rsyslogd
http://people.cs.vt.edu/~vrivelli/rsyslogd
By: Vincent Rivellino
<vrivelli@vt.edu>
Introduction
--------------------------------------------------------------------------------
As a system administrator who setup his *nix systems to log to a central host, I
found the syslog daemon packages with Linux (ksyslogd) and FreeBSD to be lacking
in features when many machines are remotely logging to it. They didn't
automatically separate log messages based on the source's hostname. So, I
decided to write my own.
First of all, this is NOT a replacement for a system's syslog daemon. All this
program does is listen on UDP port 514 (the syslog port) for remote log
messages. When messages are received they are placed in a specified archive
directory with the hostname and date appended to the path. For example, if it
is November 2002 and it receives a mail log message from snoopy.foo.bar, then
the default behavior is to place that log message in the following file:
/var/log/archive/snoopy.foo.bar/2002-Nov/mail.log
Automatically sorting log messages by when they're received and where they're
from will allow for easier log retrieval.
The Remote Syslog Archiver is written in C, and *should* compile on any POSIX
compliant system with an ANSI C compiler.
The Archive Directory Structure
--------------------------------------------------------------------------------
To better understand how log messages are archived, here's a look at the archive
directory I have rsyslogd saving logs to:
poisonivy# pwd
/var/log/archive
poisonivy# ls -l
total 10
drwxr-x--- 4 root wheel 512 Dec 10 03:42 anaconda.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:11 ap1.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:07 csgrad.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 5 10:49 espresso.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:07 flapjack.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 11:52 rattlesnake.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:35 shaffer.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:55 sidewinder.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:10 thumper.cs.vt.edu
drwxr-x--- 4 root wheel 512 Dec 3 10:24 waffle.cs.vt.edu
poisonivy# cd waffle.cs.vt.edu/
poisonivy# ls -al
total 4
drwxr-x--- 4 root wheel 512 Dec 3 10:24 .
drwxr-x--- 12 root wheel 512 Dec 3 13:25 ..
drwxr-x--- 2 root wheel 512 Dec 6 10:47 2002-Dec
drwxr-x--- 2 root wheel 512 Nov 16 02:00 2002-Nov
poisonivy# ls -l 2002-Dec/
total 1156
-rw-r----- 1 root wheel 1367 Dec 7 02:34 authpriv.log
-rw-r----- 1 root wheel 282 Dec 6 10:47 daemon.log
-rw-r----- 1 root wheel 154736 Dec 12 10:48 kernel.log
-rw-r----- 1 root wheel 1003734 Dec 12 11:16 mail.log
-rw-r----- 1 root wheel 45 Dec 6 10:47 user.log
This is the default behavior of rsyslogd. Currently, the only configurable
option is the location of the archive directory (/var/log/archive).
Installation Instructions:
--------------------------------------------------------------------------------
Simply running 'make' in the source directory should do the trick. It currently
compiles with gcc on Linux and FreeBSD without warnings. I've compiled in on a
Solaris system with gcc when editting the CFLAGS option in the Makefile (it's
noted). It also compiles (with a few warnings) with gcc on a Tru64 4.0G system.
After running make, there will an executable in the source directory called
'rsyslogd'. Copy this where ever you want (for now, I've been putting it in
/root/bin).
Running It
--------------------------------------------------------------------------------
Usage: rsyslogd [-d] [-i] [-r <archive root>] [-a <allow file>]
'-d' enables some debugging and causes rsyslogd not to run in the
background.
'-i' allows messages received from ports other than UDP 514 (the syslog
port) to be logged. By default, only messages sent from UDP 514 will
be trusted.
'-r' specifies where you want the archive. By default it is
/var/log/archive.
'-a' specifies an access file. By default, anyone can log to it.
When rsyslogd without the -d option, it will log its own messages to
/tmp/templog.log. This is used for debugging and testing, and future releases
will log to the system's syslog daemon. Under normal conditions (when
everything works right), it will contain messages saying that rsyslogd was
started and it's listening on 0.0.0.0:514. If remote messages are NOT logged
to the archive directory, they will show up here.
You might notice in your syslog messages such as:
"Dec 13 09:15:45 logserver rsyslogd[96394]: Host remotehost.domain:57851
denied: message sent from insecure port"
This means that a message from a remote host sent a log message originating
from some port other than UDP 514 (the syslog port). By default, rsyslogd will
drop these log messages and only allow messages sent from UDP 514. Using the
'-i' option will enable "insecure origin port" and these messages will be
allowed.
Report any "NOT LOGGED" message to me, because that means there is a bug that
needs to be tracked down. I haven't seen any on my log server (with 10 hosts
logging to it) in a long time, so hopefully you won't see them.
The access file says who can log to rsyslogd. To use it, create a file and
specify the systems' dns host names one per line. If you'd like to log an
entire domain, begin that domain name with a '.'. For example, if I want
everyone in the Virginia Tech CS domain to be able to log to rsyslogd and I
a specific system in ECE to be able to log to rsyslogd, I'd create a file with
'system.ece.vt.edu' on one line, and '.cs.vt.edu' on another line.
--------------------------------------------------------------------------------
Have any questions? Email me.
Also, if you have any feedback for me, I'd greatly appreciate it.
-Vince <vrivelli@vt.edu>
_______________________________________________
vtluug mailing list
vtluug@vtluug.org
http://www.vtluug.org/mailman/listinfo/vtluug
THE VT L/UUG, THE VT CS LAB, AND THE VT CS DEPT. ARE NOT RESPONSIBLE FOR THE CONTENTS OF THIS E-MAIL!
|
|
