Configure a RHEL MDS as a syslogd loghost (syslog collection server)

(from http://lonesysadmin.net/2011/01/13/how-to-configure-remote-syslogd-on-red-hatcentos-5/)

1. This logs all the logs from any number of external hosts to the /var/log/messages and other logs.

2. Edit /etc/sysconfig/syslog. Add “-r” to the SYSLOGD_OPTIONS line:

#CODE

SYSLOGD_OPTIONS="-m 0 -r"

Restart syslogd with:

#CODE

/usr/bin/sudo /sbin/service syslog restart

(note that the service is ‘syslog’ and not ‘syslogd’)

3. Verify that syslogd is listening on port 514 using netstat:

#CODE

$ sudo netstat –anp | grep 514
udp        0      0 0.0.0.0:514      0.0.0.0:*       5332/syslogd

4. Change another host to use the syslogd host. On another Linux box the format is in /etc/syslog.conf is something like:

#CODE

*.info;cron.!=info;mail.none;local0.notice          @logs.company.com

where logs.company.com is the machine you just set up to listen to syslog messages.

You’ll need to restart that host’s syslog to make the change. If you “tail –f /var/log/messages” on the log host you should be able to use /usr/bin/logger on the client host to make messages appear.

Client:

#CODE

$ logger hey

Syslog server:

#CODE

$ sudo tail -f /var/log/messages
…
Jan 13 15:33:37 clienthost plankers: hey

Keep in mind that syslog will sort messages into the categories it already has defined in /etc/syslog.conf. So if you send mail log data (mail.*) they’ll end up in /var/log/maillog by default.

5. You may wish to change your log rotation schedule to prevent large files. You can do this in /etc/logrotate.conf.

6. Searching, etc. can be done with standard UNIX tools like grep, tail, less, etc. in /var/log.