Have you ever wished that instead of having to manually login to a server in order to see the system log, the events would simply come to you? How-To Geek goes into how to setup a syslog collector.

Overview

Syslog is used on a variety of server/devices to give system information to the system administrator. Out it's Wiki entry:

Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them.

Syslog can be used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.

In order to tap that information, one could:

  1. Connect to the server/device. Where the how, can change from device to device and if possible at all from where the administrator is in relation to the firewall protecting the asset.
  2. Find the Syslog file. Which could be in a slightly different location depending on the system/device being accessed. For example, on Debian this is "/var/log/syslog" and on DD-WRT its "/var/log/messages" (almost as if only to spite you...).
  3. Use an  available file viewing utility. Again could be slightly different depending on what is available on the system. For example on Busybox the "less" utility isn't the full GNU implementation and as such is missing the "Scroll  forward" (+F) function.

The alternative would be to setup a Syslog collector and have the Syslog-ing servers/devices send the events to it.

Prerequisites & Assumptions

  • A device that supports remote Syslog-ing. In this article we will use DD-WRT as an example.
  • Syslog uses port 514 UDP, and as such it must be reachable from the device sending the information to the collector.
  • Some basic networking know how is assumed.

Setup the Syslog collector

In order to collect the events, one needs to have a Syslog server. While there are a multitude of options like "Kiwi" and "PRTG" to mention a few, we opted to use "Syslog Watcher".

Note: It is recommended that the collecting server will use an IP that won't change, either by statically assigning it or reserving it in DHCP.

  • Download the latest Syslog Watcher.
  • Install in the regular "next -> next -> finish" fashion.
  • Open the program from the "start menu".
  • When prompted to select the mode of operation, select: "Manage local Syslog server".
  • If prompted by Windows UAC, approve the administrative rights request.
  • Start the service by clicking the huge "Play" button on the top left.

While you could further configure the program, for example, as shown in the video tutorials, you don't have too and it is ready to roll.

Setup the Syslog sender

As stated above, we will use DD-WRT for this example. With that said, remote Syslog-ing is a capability supported by most self respecting devices/OSs. Consult the documentation as to how to set it up.

On DD-WRT:

  • Go to the webGUI and select "Services".
  • Check the Enable checkbox for "Syslogd".
  •  In the Remote Server textbox, put the IP/DNS of the collecting server.
  • Save & Apply for the settings to take affect.

That is it... your Syslog Watcher should start getting populated by system events.

For example, if you've implemented our "How to Remove Advertisements with Pixelserv on DD-WRT" guide, you will be able to see something like the below:

Enjoy :)


Don't try to remotely operate any space bridges... :P