Cover V13, i12

Centralized Logging for UNIX, Windows, and Network Devices

Corey Ramsden

There's nothing sexy about log files, but where would we be without them? They are our eyes and ears for the digital jungle. Like other senses, they can overload us with too much information from too many sources. One way to get a handle on this problem is to consolidate logging to one or more central loghosts.

There are many reasons to centralize logging. Running log file watch and reporting routines on every single host can be a cumbersome task, often requiring administrators to script out routines on several different platforms. Consolidating logs allows for the creation and maintenance of one set of watching and reporting utilities. Another major reason to centralize logging is security. Writing logs to a central host and backing them up to tape regularly is an excellent way to keep log file information safe for later review during security incident investigations.

Syslog-ng ("syslog next generation") allows you to log remote events to host-specific files that can be rotated and backed up to tape on a regular basis. Because so many operating systems, applications, and network devices support syslog functionality, we can configure almost all of our managed devices to log their activity to a central loghost.

Syslog-ng is available from:
and requires a specific version of libol to install properly. The current stable version of syslog-ng is 1.6, and it requires the latest libol 0.3.x release.

Installation of syslog-ng on Central Loghost

We employ a simple installation of syslog-ng at our site because we have a small number of hosts and limited logging requirements. The loghost is a modest Intel x86 box with Red Hat Linux installed and locked down as tightly as possible. A loghost houses lots of sensitive information so it's important to keep as few services running on the system as possible. Preferably, it should only run two external services: syslog-ng and ssh.

The following steps will give you a basic working setup. For more information on setup and configuration, consult the online FAQ and HOWTO notes (see references). Note the step to remove the -r from the normal syslog daemon startup. This ensures that the default syslog daemon is not listening on port 514/udp and conflicting with our new syslog-ng setup.

If you are interested in running syslog-ng chroot'ed as a non-root user, this is possible in syslog-ng 1.5.x+ versions through the -C and -u flags.

1. Get the latest stable versions of libol and syslog-ng from:
2. Untar both to src directory and install libol with:

./configure && make && make install
3. Install syslog-ng with:

./configure && make && make install

mkdir /etc/syslog-ng
chmod 700 /etc/syslog-ng
mkdir -p /var/syslog-ng/hosts
chmod -R 700 /var/syslog-ng
4. Touch all /var/syslog-ng/hosts/ files to which we're logging:

touch /var/syslog-ng/hosts/[hostname].log
5. Tighten permissions with:

cd /var/syslog-ng/hosts
chmod 600 *
6. Create /etc/syslog-ng/syslog-ng.conf (see below for config content):

chmod 600 /etc/syslog-ng/*
7. Install startup script in /etc/rc.d/init.d/syslog-ng (see Listing 1).

8. Remove -r option from /etc/rc.d/init.d/syslog startup.

9. Stop/start syslog with: /etc/rc.d/init.d/syslog restart.

10. Do netstat -an to make sure it isn't listening on udp/514 anymore.

11. Start syslog-ng with: /etc/rc.d/init.d/syslog-ng start.

12. Enable syslog-ng automatically on system startup.

You may be wondering at this point why we would even leave the default syslogd/klogd setup running. We do this for the sake of conformity so that the central loghost matches the rest of the hosts in the environment as closely as possible. All hosts, including the central loghost, log events to their usual locations as well as to the central loghost. Another possibility would be to log the central loghost's own events locally to the default location (or to the local syslog-ng setup) as well as to send them to a secondary syslog-ng machine for safekeeping.

Configuration for syslog-ng.conf

There are a few important options to note in the configuration file. Be sure to set the appropriate permission bits for the files with the perm() option. Also pay close attention to the use_dns and use_fqdn options because both can cause problems if you don't have name service set up appropriately for your hosts. In our case, we elected to filter incoming log events by IP and to name files explicitly by hand to keep things simple and direct.

The source option allows you the flexibility of listening on UDP ports, TCP ports, and tunneled connections as well as internal logging streams. For creating a centralized loghost, listening on the default 514/udp syslog port is the most useful option because many managed devices are unable to change the port to which they forward syslog information. For larger networks, consider using syslog-ng in a tunneled capacity over TCP to allow remote hosts to send their events to the central logging server.

If you decide to log local events to syslog-ng as well, you'll need to specify an additional source and use that source when directing those events to the file of your choosing. Options for doing this are included in the configuration file (Listing 2).

The filter options available with syslog-ng provide great flexibility in dealing with incoming information. In our case, we've chosen only the ones for defining hosts. Notice the trailing "$" at the end of this expression:

filter                  f_unix-server1   { host($); };
This ensures that the filter will apply only to that specific IP address and not some other similar IP. In other words, we don't want logs from going to the log file setup for

Another useful option, especially for network devices, is the facility filter. For example, if you have a firewall device that only permits a few types of facility definitions in its syslog capability, you may need to designate a local facility to rules event logging and another local facility to authentication failure events.

For example, in our environment, the rule event logging is extensive and creates large log files. Rather than weed through those events looking for authorization failures to the device and other alarm events, we split them up with different local facilities and then separate them into different files when they arrive at the loghost.

Similar arrangements would also be helpful if, for example, you wanted to log account audit events (on Unix, Windows, or network devices) to a different file than the main traffic from a particular host. In syslog-ng.conf, to filter an event by a specific facility, you would specify a filter line like this:

filter                  f_local1        { facility(local1); };
and then use that filter in a log line to make sure those events end up in the right file:

log { source(src);   filter(f_firewall1); filter(f_local1); \
Note that the configuration file shown in Listing 2 is very explicit about incoming IP addresses and destinations for log files. To get around this, it's possible to take advantage of syslog-ng variables such as $HOST and $FACILITY for use in creating files dynamically. This is especially tempting on a larger network when setting up explicit rules for each host becomes cumbersome. However, this is a bad idea as the variable values rely on information coming to syslog-ng from the wire. Any information from the wire should be treated with suspicion and should certainly not be used as part of a system call to create a file name. The online FAQ also has an item about these options.

Log Rotation Using logrotate.d

To help manage the log files we're now collecting, we'll use the logrotate setup that comes with the Red Hat distribution. Create a file called "syslog-ng" and place it in your logrotate.d include directory. The default directory on most Linux systems is /etc/logrotate.d. Add a stanza like the one below for each host's log files. rotate 8 rotates in a cycle of eight (weeks). We're also compressing each file with compress; however, with delaycompress included, logrotate will only do so after you have two uncompressed files available (i.e., unix-server1.log and unix-server1.log.1).

If you have the disk space, you might consider using delaycompress; it is a convenient option if you frequently spot check log activity by hand because you won't need to uncompress them first:

/var/syslog-ng/hosts/unix-server1.log {
    rotate 8
        /bin/kill -HUP 'cat /var/run/ 2>/dev/null' \
          2>/dev/null || true
Configuring the Clients

Now we're ready to configure each of the client machines. We chose to have each host log to itself as well as to the central loghost for the sake of redundancy and for comparing entries in the event of a security incident. So, we'll just add a line to the syslog.conf file to send all information above the info level to the loghost:

*.info                                    @loghost
Be sure that the whitespace between "*.info" and "@loghost" are tabs and not spaces. Next, make sure that "loghost" is defined in your /etc/hosts file or in your name service. Restart the syslog service. To test the new installation, run logger -p local0.notice local0.notice and make sure that an entry arrived and was logged in the appropriate file on the central loghost.

For Windows hosts, several software packages are available for sending Windows eventlog entries to a syslog host. EventReporter ( works particularly well; it is quite easy to install/configure and is inexpensive.

For whatever package you use, make sure you configure the software to include the Windows log type (Application, System, Security, etc.). This information can be very helpful when writing watch and alert scripts.

For network devices, your mileage may vary but most firewalls, routers, and switches should have a syslog capability of some sort. Just configure them to forward their events to the IP of the centralized loghost. As mentioned previously, for some of the more basic implementations, you may need to designate local facilities to different logging event types and then filter them accordingly at the central loghost.


Consolidating log files can be a tremendous help to systems administrators in their daily duties of log monitoring and security incident reviews. syslog-ng offers a flexible system for receiving log files from a variety of sources. If you combine that with free rotation utilities and inexpensive Windows utilities, you can centralize logging from almost every host in your network and build tools to monitor them all from one location. After it's all done, don't forget to back up those logs to tape regularly!


syslog-ng FAQ --

Central loghost HOWTO --


I thank Rich Simon for his review and comments on this paper.

Corey Ramsden is the Director of Systems for a small online education company. He holds a degree in Political Science from Loyola College in Maryland and has 7 years of experience managing heterogeneous workstation and server environments. He can be reached at: