Rsyslog is now de facto the syslog engine for Ubuntu (since 10.10).
I used syslog-ng for long but know I need to update my knowledge.
Centralizing syslog event from firewalls, appliances or other hosts to a rsyslog server is a must to have.
1. Things to think about
TCP and UDP reception is not by default turned on.
You need to load the imtcp plugin in order to enable it. This needs to be done only once in rsyslog.conf. Do it right at the top.
Edit the /etc/rsyslog.conf and enable the required protocols
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Then create basic rules to forward the REMOTE events to a dedicated log file
# do this in FRONT of the local/regular rules if $fromhost-ip startswith '192.0.1.' then /var/log/network1.log & ~ if $fromhost-ip startswith '192.0.2.' then /var/log/network2.log & ~
2. How it works
It is important that the rules processing the remote messages come before any rules to process local messages. The if’s above check if a message originates on the network in question and, if so, writes them to the appropriate log. The next line (“& ~”) is important: it tells rsyslog to stop processing the message after it was written to the log. As such, these messages will not reach the local part. Without that “& ~”, messages would also be written to the local files.
Also note that in the filter there is a dot after the last number in the IP address. This is important to get reliable filters. For example, both of the addresses “126.96.36.199” and “188.8.131.52” start with “192.0.1” but only one actually starts with “192.0.1.”!
If you use rsyslog to forward events to the central server, just add :
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @@remote-host:514
More info on : http://www.rsyslog.com/