Syslog-ng Configuration For Newbies

Some time ago I was asked by my friend to recommend a cost-free solution that he could use for storing logs of his security device over network. The Linux OS with installed syslog-ng is perfectly suitable for this job because it can collect logs from any source, process them in near real-time and deliver them to a wide variety of destinations. However it was challenge to explain all the steps in an easy manner as he was a total newbie in a Linux world. For this reason I wrote a basic installation and configuration manual for him which I share with you. The manual helps you to setup syslog-ng on Ubuntu server and troubleshoot the possible issues.

1. Install Ubuntu 16.04 Server Edition

During Ubuntu installation you are asked to provide the username/password and IP settings. Once an installation process finishes, the system is rebooted. when you get your console again, login and install updates with the command:

$ sudo su
# apt-get update
# apt-get upgrade

2. Install and Configure Syslog-ng

# apt-get install syslog-ng

First, you need to download a simple configuration file that I created for you. Change the username ubuntu inside the file to your username. Type the command  whoami to get username.

# cd /etc/syslog-ng/conf.d
# wget https://brezular.com/wp-content/uploads/2016/12/firewals.conf_.txt -O firewals.conf
# service syslog-ng restart

3. Static IP Address Configuration

You probably need to configure a static IP address for the interface. Find the name of our Ethernet interface with the ifconfig command. Then edit the file /etc/network/interfaces with nano or vim editor and configure IP settings. Below is an example of static IP configuration for the interface ens3.

Picture 1 - Static IP Address Configuration

Restart a network service with a command:

# service networking restart

4. Troubleshooting

The Syslog-ng service should listen on all IP address and TCP and UDP port 514.

# netstat -tulpn | grep 514

Picture 2 - TCP/UDP Port 514 Opened by Syslog-ng Service

If you want the syslog-ng to listen on a particular IP address instead of all IP addresses, replace the IP address 0.0.0.0 with the desired IP address in the configuration file /etc/syslog-ng/conf.d/firewals.conf. You can also change the owner of the saved log files there. Do not forget to restart syslog-ng service after your changes in the config file.

Logs are placed to the directory /var/log/firewalls. Check a content of the directory with the command:

# ls -l /var/log/firewalls/
total 8
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:16 192.168.0.1
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:18 192.168.0.2

As you can see they are two directories 192.168.0.1 and 192.168.0.2 that were automatically created by syslog-ng based on the IP addresses of the devices we are collecting logs from. 

Picture 3 - Testing Topology

Our configuration file tells syslog-ng to create a directory structure based on the IP_of_device/year/month for each contributing device. For each day a log file is created inside the IP/year/month directory.  Let's inspect a log file of a router 192.168.0.1.

# cat /var/log/firewalls/192.168.0.11/2016/12/192.168.0.1-2016-12-08.log
Dec 8 20:16:45 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:14:21 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:15:33 192.168.0.1 : %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
Dec 8 21:15:34 192.168.0.1 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
Dec 8 21:17:28 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:22:32 192.168.0.1 : %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Dec 8 21:22:34 192.168.0.1 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up

5. Configuring Network Device R1 to Send Traps to Syslog-ng

5.1 Cisco IOS

These two commands configure a Cisco router for sending logs with a priority 5 (notification) to a syslog server with IP address 192.168.0.100.

R1(config)# logging trap notifications
R1(config)# logging host 192.168.0.100

5.2 VyOS

vyos@R1:~$ configure
[edit]

vyos@R1# set system syslog host 192.168.0.100 facility all level 'notice'
vyos@R1# set system syslog host 192.168.0.100 port '514'

2 thoughts on “Syslog-ng Configuration For Newbies

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.