I have several systems that run constantly and other just as needed. One thing I really wanted was a centralized logging server. I could have configured a syslog server on my Red Hat mini for example but since I already had a Synology why not use it for this. I have ample storage space and the interface on Synology makes it perfect for home use. Obviously there are more robust solutions out there but for what I need its fine.
First things first
The first thing you will need to do is setup the receiver on the Synology for Log Center. Once you click on the Log Center icon you will get the management window. Here you configure Log Recieving. You will need to configure: Name, Log Format, Rule (optional), Protocol and Port.
Next click on Log Center
In my example I already had it configured so I am just editing. As a new entry it will look the same but your values may be different. In my example I chose the following:
Name: Server Log format: BSD format Rule parameters: None Transfer protocol: UDP Port: 514
The next thing you will want to do is to set the criticality level of the information you want to receive. In my example I have chosen severity level: Critical, Alert, Emergency. Keep in mind if you are getting alerts you don’t deem necessary you can add “Rule Parameters” under the “Log Receiving” settings. You can also limit what is sent on the client side as well in the /etc/syslog.conf or /etc/rsyslog.conf file depending on what Linux, Unix or macOS you have.
Okay we are now done with the receiving side now lets setup the clients.
Forward Syslog Data to Receiver
macOS Example
In this example I will show where and what to setup for macOS. In my case I am sending out everything but you can limit what you send if you like by changing “*.*” to something like: “authpriv.*;auth.info” for Linux. Below for macOS I am sending everything to the receiving host:
“*.* @HOSTIP:PORT#
vi /etc/syslog.conf =============== # syslog.conf # Note that flat file logs are now configured in /etc/asl.conf install.* @127.0.0.1:32376 # used for the adaptive firewall: man emlog.pl auth.* @127.0.0.1:60762 # To send everything to Log server *.* @10.0.1.166:514
Once we are satisfied we will need to restart the syslog daemon.
# sudo launchctl stop /System/Library/LaunchDaemons/com.apple.syslogd.plist # sudo launchctl start /System/Library/LaunchDaemons/com.apple.syslogd.plist
Let’s test it to see if it works?
We can now test it. Open a terminal on the macOS client and enter the following:
# logger -s -p user.info Testing macOS forwarding Testing macOS forwarding
If everything worked correctly within a minute or so you should see your test alert. If you don’t see it right away hit the refresh button “bottom right”
If everything looks good you can setup a forwarder on LInux of you like or have it. Below is an example on how to do this.
Red Hat 7+ rsyslogd Example
The rsyslog.conf file resides in /etc. Backup then edit the config file:
# cp -p /etc/rsyslog.conf /etc/rsyslog.conf.`date +%m%d%y` # vi /etc/rsyslog.conf
In our case we are just going to change two line and send everything out.
Ensure that any line that logs to a file other than the security log (generally /var/log/secure or /var/adm/secure) does not include the security facilities (auth, authpriv (Linux only), and security (AIX only)). For example, a Linux system with a general logging line such as this:
*.info;mail.none;cron.none /var/log/messages Would become: *.info;mail.none;cron.none;auth.none;authpriv.none /var/log/messages
Also add the following line to send out everything you can change this once you have tested if you want to restrict what is sent.
# Send everything to Synology *.* @10.0.1.166:514
Once you have it they way you want it go ahead and restart the rsyslog daemon.
# systemctl restart rsyslog
# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-26 09:11:11 EDT; 7s ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 18527 (rsyslogd)
Tasks: 3
CGroup: /system.slice/rsyslog.service
└─18527 /usr/sbin/rsyslogd -n
Apr 26 09:11:11 rhminisrv.localdomain systemd[1]: Starting System Logging Ser...
Apr 26 09:11:11 rhminisrv.localdomain rsyslogd[18527]: [origin software="rsy...
Apr 26 09:11:11 rhminisrv.localdomain systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.
Now we can test it, on the Linux server enter the following:
# logger -s -p user.info Testing Redhat7 forwarding andy: Testing Redhat7 forwarding
If you don’t see this go ahead and close Log Center and reopen. If everything was setup correctly you will see messages start coming through. Thats it!
It’s Just Bytes... 