Centralized Syslog Server Setup Part I

*** SETUP SYSLOG: - Create and mount /syslog - mkdir /syslog/archive - Edit /etc/sysconfig/syslog and edit SYSLOGD_OPTIONS to read: SYSLOGD_OPTIONS="-r -x -m 5" The -r option will enable listening for syslog messages. -x will disable DNS lookups. -m 5 will cause a MARK message to be logged to the log files every five minutes, to provide a local system time reference. - Edit /etc/syslog.conf to contain: *.=emerg;*.=panic /syslog/0_panic.log *.=alert /syslog/1_alert.log *.=crit /syslog/2_critical.log *.=err;*.=error /syslog/3_error.log *.=warn;*.=warning /syslog/4_warning.log *.=notice /syslog/5_notice.log *.=info /syslog/6_info.log # Record time marks to all logs mark.* /syslog/0_panic.log mark.* /syslog/1_alert.log mark.* /syslog/2_critical.log mark.* /syslog/3_error.log mark.* /syslog/4_warning.log mark.* /syslog/6_info.log - Create /etc/logrotate.d/syslogcollector and add to it: /syslog/*.log { daily rotate 91 olddir /syslog/archive copytruncate compress missingok } - service syslog restart *** INSTALL MONIT: Monit is used to watch services (ntpd and syslog), and restart them if they fail. - Make sure the GCC compiler, Flex, Bison, and the OpenSSL development packages are installed. yum -c http://santa.my.lan/repository/patch/current/rhel4-i386.conf install gcc flex openssl-devel bison - Get the latest monit from http://www.tildeslash.com/monit/ and untar. - cd into the extracted monit directory - As root: ./configure && make && make install - cp contrib/rc.monit /etc/init.d/monit - chmod u+x /etc/init.d/monit - Edit /etc/init.d/monit: - change "MONIT=/usr/bin/monit" to "MONIT=/usr/local/bin/monit" - chkconfig --add monit - chkconfig monit on - vi /etc/monitrc ##### BEGIN CONFIG ##### set daemon 15 # Poll at 15 second intervals set logfile syslog set alert techsupport@my.org set mailserver mail.my.org with timeout 15 seconds set mail-format { from: monit@$HOST subject: $SERVICE $EVENT at $DATE message: Monit $ACTION $SERVICE at $DATE on $HOST: $DESCRIPTION } check process ntpd with pidfile "/var/run/ntpd.pid" start program = "/sbin/service ntpd start" stop program = "/sbin/service ntpd stop" if 2 restarts within 3 cycles then timeout check process syslogd with pidfile "/var/run/syslogd.pid" start program = "/sbin/service syslogd start" stop program = "/sbin/service syslogd stop" ##### END CONFIG ##### - chmod 700 /etc/monitrc - service monit start *** USAGE: syslog and monit can be stopped, started, restarted, or get its status with the standard 'service' command. Log into the system (syslog-test or syslog-prod) as root, and run: service [monitsyslog] [stopstartrestartstatus] All received syslog messages are stored in files in /syslog/, broken up by message priority level (see also RFC3164 for a full description of the syslog protocol): /syslog/0_panic.log -- Emergency/Panic messages /syslog/1_alert.log -- Alert messages /syslog/2_critical.log -- Critical messages /syslog/3_error.log -- Error messages /syslog/4_warning.log -- Warning messages /syslog/5_notice.log -- Notice messages /syslog/6_info.log -- Informational messages The lower the first number in the filename, the more important the message is. These files are rotated daily into the /syslog/archive/ directory, and are compressed to save space. 91 days of the old logs are kept... anything older than 91 days will be deleted.

No comments: