9.12. syslog server

Warning

Be aware that of the fact that the logfiles sometimes can become really really huge, and since they are placed in the directory /var/log which has limited space, they might fill up this partition 100% and then you will see services such as dhcp-server, proxy server,ldap authentication, simply stop functioning, since they can't write to any logfile. Therefor, make sure /var/log is big enough for all your logfiles.

If /var/log suddenly becomes 100% full, then you can either resize it, according to resize of vg_system/lv_var, or if you are in a hurry, delete some old logfiles. Look for files in /var/log with the a numeric extension, like syslog.0, these files can be deleted, of course any information they might contain will be lost.

I quick way to find 10 potential big files in /var/log is done like this


tjener:~# cd /var/log/
tjener:/var/log# ls -lrSh | tail -n 10
-rw-r--r--  1 root        root   255K 2005-10-26 20:36 base-config.log.1
-rw-r-----  1 root        adm    561K 2006-04-19 06:25 syslog.0
-rw-r-----  1 root        adm    694K 2006-04-19 20:22 syslog
-rw-r-----  1 root        adm    702K 2006-04-19 20:22 daemon.log
-rw-r-----  1 root        adm    805K 2006-04-16 06:46 daemon.log.0
-rw-r-----  1 root        adm    11M 2006-03-03 06:25 debug.4.gz
-rw-r-----  1 root        adm    12M 2006-03-03 06:25 kern.log.4.gz
-rw-r-----  1 root        adm    12M 2006-04-19 20:23 auth.log
-rw-r-----  1 root        adm    13M 2006-04-16 06:25 auth.log.0
-rw-rw-r--  1 root        utmp   290M 2006-04-19 20:23 lastlog.0
here I would delete the files lastlog.0 and auth.log.0

The mainserver in Skolelinux/Debian-edu is setup to receive the logfiles from the different machines in the Skolelinux/Debian-edu network, other machines such as Thin Clientserver, workstations. Other machines can be configured to send their logfiles to the mainserver as well, such as firewalls, routers and printers, this is achieved by specifying in the appropriate places on such devices the address 10.0.2.2 as remote syslog server.

In the case of the firewall/router Coyote Linux configuring it to use mainserver as remove syslog server is done during the creation of the floppy, but can also be done at a later time via http://10.0.2.1:8180 and there look for "Optional Configurations" and the field "Remote Logging Host", in this image

Figure 9-32. Remote logging setup in Coyote Linux

If you logon to your Coyote Linux firewall with ssh like ssh root@10.0.2.1 then you can setup the remote logging host using:

                Coyote Linux Gateway -- Configuration Menu


  1) Edit main configuration file         2) Change system password
  3) Edit rc.local script file            4) Custom firewall rules file
  5) Edit firewall configuration          6) Edit port forward configuration

  c) Show running configuration           f) Reload firewall
  r) Reboot system                        w) Write configuration to disk

  q) quit                                 e) Exit
  ----------------------------------------------------------------------------
  Selection: 1
and there add 10.0.2.2 to the line
LOGGING_HOST='10.0.2.2'

If you are using m0n0wall then you do that under Diagnostics, Logs, Settings and there add 10.0.2.2 to "IP address of remote syslog server", like this.

Figure 9-33. Remote logging setup in m0n0wall

Once you have all machines and devices sending their syslog info to Mainserver, it's time to have a look at what is reported. The most important logfile is probably syslog, and looking at it in realtime as things are written to it is possible with tail --follow /var/log/syslog, here you see the log send by a Thin Clientserver as a thinclient boots up:


tjener:~# tail --follow /var/log/syslog
Dec 19 11:15:52 ltspserver01 dhcpd: DHCPACK on 192.168.0.10 to 00:01:02:4c:85:fb via eth1
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.0 to 192.168.0.10:2070
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.0 to 192.168.0.10:2071
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/01-00-01-02-4c-85-fb to 192.168.0.10:57089
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A8000A to 192.168.0.10:57090
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A8000 to 192.168.0.10:57091
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A800 to 192.168.0.10:57092
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A80 to 192.168.0.10:57093
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A8 to 192.168.0.10:57094
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0A to 192.168.0.10:57095
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C0 to 192.168.0.10:57096
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/C to 192.168.0.10:57097
Dec 19 11:15:52 ltspserver01 atftpd[22121]: Serving /tftpboot/pxelinux.cfg/default to 192.168.0.10:57098

Note

You must be root to be allowed to read most of the files in /var/log. If you are logged on as a normal user, then you may become root with the command su