You can see (some of) the logs using
$ tail /var/log/messages
And you can add a message using
$ logger 'hello'
Say you have dozens or hundreds of servers. You don't want to login to each one and look at each log. Instead, it makes sense to forward them to a central server. It's also safer, as it makes it more difficult for a hacker to hide his tracks.
We don't want to send potentially sensitive logs in plain text, so we'll use TLS
Server (10.0.2.35 aka 'loghost')
# cd /etc/ssl/private # openssl genrsa -out loghost.key 2048 `# generate 2048-bit RSA key` # openssl req -x509 -new -key loghost.key -out ../loghost.crt -days 365 `# generate cert. set common name to loghost` # echo '10.0.2.35 loghost' >> /etc/hosts # rcctl set syslogd flags "-S loghost" `# -S means use TLS` # rcctl restart syslogd # tail -f /var/log/messages `# watch for syslog messages`
Client (10.0.2.36 aka 'logclient')
Add to
/etc/syslog.conf:
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none @tls://loghost auth,daemon,syslog,user.info;authpriv.kern.debug @tls://loghost
# echo '10.0.2.35 loghost' >> /etc/hosts # scp nonRootSSHUser@loghost:/etc/ssl/loghost.crt /etc/ssl/trusted.crt `# copy the cert from server` # rcctl set syslogd flags "-h -C /etc/ssl/trusted.crt" `# use hostnames instead of IPs and set the TLS trust store` # rcctl restart syslogd # logger hello from logclient `# you should see this on loghost`
If you need to debug syslogd, run
/usr/sbin/syslogd -d
No comments:
Post a Comment