May 6, 2021

syslog-ng howto

Centralized logging will help a ton if you have a network issue. If something happens, you’ll just be able to look one place instead of a bunch. There are several ways to do this, but syslog-ng seems to offer some decent features, and it’s available in standard repositories.

apt-get install syslog-ng
mkdir /var/log/remotelogs/
uncomment next line and add options:
source s_net { tcp(ip(127.0.0.1) port(1000) max-connections (5000)); udp(); };
/etc/syslog-ng/syslog-ng.conf
  destination d_auth { file("/var/log/remotelogs/$HOST/auth.log"); };
destination d_cron { file("/var/log/remotelogs/$HOST/cron.log"); };
destination d_daemon { file("/var/log/remotelogs/$HOST/daemon.log"); };
destination d_kern { file("/var/log/remotelogs/$HOST/kern.log"); };
destination d_lpr { file("/var/log/remotelogs/$HOST/lpr.log"); };
destination d_mail { file("/var/log/remotelogs/$HOST/mail.log"); };
destination d_syslog { file("/var/log/remotelogs/$HOST/syslog"); };
destination d_user { file("/var/log/remotelogs/$HOST/user.log"); };
destination d_uucp { file("/var/log/remotelogs/$HOST/uucp.log"); };
 
# This files are the log come from the mail subsystem.
#
destination d_mailinfo { file("/var/log/remotelogs/$HOST/mail.info"); };
destination d_mailwarn { file("/var/log/remotelogs/$HOST/mail.warn"); };
destination d_mailerr { file("/var/log/remotelogs/$HOST/mail.err"); };
vi /etc/logrotate.d/syslog-ng
  /var/log/remotelogs/$HOST/mail.info
/var/log/remotelogs/$HOST/mail.warn
/var/log/remotelogs/$HOST/mail.err
/var/log/remotelogs/$HOST/mail.log
/var/log/remotelogs/$HOST/daemon.log
/var/log/remotelogs/$HOST/kern.log
/var/log/remotelogs/$HOST/auth.log
/var/log/remotelogs/$HOST/user.log
/var/log/remotelogs/$HOST/lpr.log
/var/log/remotelogs/$HOST/cron.log
/var/log/remotelogs/$HOST/debug
/var/log/remotelogs/$HOSTmessages
/var/log/remotelogs/$HOSTerror
systemctl disable syslog.service
systemctl enable syslog-ng.service
/etc/init.d/syslog-ng restart

Now look in /var/log/remotelogs and see if there’s a folder in there with your hostname, and some log files in it like syslog. You should have some entries in syslog because you just restarted syslog-ng