Packetwatch.net

Syslog-ng in Red Hat Enterprise Linux



Last modified: Feb. 14, 2009

Contents
1 - Summary
2 - Dependencies
3 - Syslog-ng installation
4 - Service configuration
5 - Service check


1 - Summary

This guide will show how to install syslog-ng in Red Hat Enterprise Linux.
Syslog-ng is a system logging application. This has been tested in Red Hat
Enterprise Linux 4 and 5.


2 - Dependencies

Libevtlog is a dependency that is needed. This can be downloaded at
http://www.balabit.com/. Download and install the Red Hat package.
# cd ~
# wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/
dists/rhel-$rel/syslog-ng-*/$arch/RPMS.syslog-ng/libevtlog0-*.$arch.rpm
# sudo rpm -ivh libevtlog0-*.$arc.rpm


3 - Syslog-ng installation

Syslog-ng can be dowloaded at http://www.balabit.com/. Download and install
the Red Hat package.
# cd ~
# wget http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/
dists/rhel-$rel/syslog-ng-*/$arch/RPMS.syslog-ng/syslog-ng-*.$arch.rpm
# sudo rpm -ivh syslog-ng-*.$arch.rpm


4 - Service configuration

Stop the syslog-ng service and start the syslog service.
# sudo /sbin/service syslog-ng stop
Shutting down syslog-ng: [  OK  ]
# sudo /sbin/service syslog start
Starting system logger: [  OK  ]
Starting kernel logger: [  OK  ]

Find where the syslog-ng daemon was installed to.
# rpm -ql syslog-ng-* | grep sbin
/sbin/syslog-ng

Enable the syslog-ng service so that it will start when the system starts
and disable syslog so it won't start when the system starts up.
# sudo /sbin/chkconfig --list | grep syslog
syslog-ng       0:off   1:off   2:on    3:on    4:on    5:on    6:off
# sudo /sbin/chkconfig syslog off
# sudo /sbin/chkconfig syslog-ng on
# sudo /sbin/chkconfig --list | grep syslog
syslog-ng       0:off   1:off   2:on    3:on    4:on    5:on    6:off
syslog          0:off   1:off   2:off   3:off   4:off   5:off   6:off

Find where the configuration file should be put.
# grep syslog-ng.conf /etc/rc.d/init.d/syslog-ng 
# strings /sbin/syslog-ng | grep syslog-ng.conf
  -f , --cfgfile=    Set config file name, default=/etc/syslog-ng/syslog-ng.conf
/etc/syslog-ng/syslog-ng.conf

You can now create your own syslog-ng.conf file. You can use the following for
your source.

  source local { internal(); file("/proc/kmsg" log_prefix("kernel: "));  unix-stream("/dev/log"); };

# rpm -ql syslog-ng-* | grep syslog-ng.conf
/etc/syslog-ng/syslog-ng.conf
/usr/share/man/man5/syslog-ng.conf.5.gz
# sudo cp /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf.example
# sudo vi /etc/syslog-ng/syslog-ng.conf
# sudo /sbin/syslog-ng -s -f /etc/syslog-ng/syslog-ng.conf

You will need to configure SELinux appropriately. SELinux status can be found
by running sestatus.
# sudo /usr/sbin/sestatus | grep status:
SELinux status:                 enabled

Stop the syslog service and start the syslog-ng service.
# sudo /sbin/service syslog stop
Shutting down kernel logger: [  OK  ]
Shutting down system logger: [  OK  ]
# sudo /sbin/service syslog-ng start
Starting syslog-ng: [  OK  ]
# sudo cat /var/run/syslog-ng.pid
3905


5 - Service check

Reboot your computer. Log in like normal and check to see that the syslog
service isn't running and the syslog-ng service is running. That's it, now
you have syslog-ng running in Red Hat Enterprise Linux.
# sudo /sbin/shutdown -r now
# sudo /sbin/service syslog status
syslogd is stopped
klogd is stopped
# sudo /sbin/service syslog-ng status
syslog-ng (pid 1878) is running...


Last modified: Thu Jan 1 00:00:00 1970 UTC
Packetwatch Research 2002-2017.