Since dec 2006
1'942'871 Visitors
4'218'042 Pages

Nov 2010 Stats
82'909 Visitors
146'476 Pages
196 countries
Full statistics

Help us translate
our tutorials!

JOIN the
OpenManiak Team.
Blaise Carrera
Tutorials creation:
Blaise Carrera
Giovanni Fredducci
Angel Chraniotis
Moham. H. Karvan
Alexandro Silva
Blaise Carrera
Andrei Chertolyas
Sergiy Uvarov
Nickola Kolev
Łukasz Nowatkowski
Ivo Raisr
Catalin Bivolaru
Bogdan A. Costea
Kirill Simonov
Oliver Mucafir
JaeYoung Jeon
Seungyoon Lee
Jie Yu & Si Cheng
Tao Wei
Fumihito Yoshida
Muhammad Takdir
Çağdaş Tülek
Leslie Luthi
Joe Anderson
Jennifer Ockwell
Nigel Titley
Alison Rees
Sabrina Barbey
Blaise Carrera
PHPSYSLOG-NG - The Easy Tutorial - Syslog Clients

PHP-Syslog-NG Other
Last Change : Dec 07 2010


Details What is phpsyslog-ng ?
Tutorial php-syslog-ng
Syslog Clients

If you like our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!

Here is the configuration of three common syslog clients, that can forward logs to our syslog server.


1. LINUX clients

To forward logs from a linux machine to a log collector, you can either use syslogd which is the default syslog on a linux machine or syslog-ng.

- syslogd

Open the /etc/syslogd.conf file. You have to use the following syntax:

facility.level destination

Here are some examples:

# all the logs are forwarded to
# the alerts and emergencies kernel messages will be sent to
Restart the server:

etc/init.d/sysklogd restart
- syslog-ng

# apt-get install syslog-ng
The configuation of the syslog-ng client is a little more difficult than the syslogd one but you can do much more with it. For example, use filters, send log over TCP or encrypt the logs sent to the server.
Let's see how to configure the syslog-ng client:
Open the /etc/syslog-ng/syslog-ng.conf config file
Here is the basic syntax, it is self explanatory:

Here are some examples:
All the logs are sent to the log server.

source s_all {
file("/proc/kmsg" log_prefix("kernel: "));

destination d1 { udp(""); };

In this second example, we are using a filter to select which logs will be sent to the server. The filter will include notice, alert and error level messages. In the same time, they must originate from the kernel facility.
For more information about a log message syntax, please check the linode website.
The logs will be sent over TCP, port 54321 instead of the UDP port 514 default settings.
Of course, if you want to change the port used to send the logs, the log collector must be able to listen to that port.

source s_all {
file("/proc/kmsg" log_prefix("kernel: "));

filter filter1 { level(notice, alert, errot) and facility(kern); };

destination d1 { tcp("" port (54321)); };

Don't forget to open the 54321 TCP port on the syslog server. The port has to be declared in a source definition that will be used in a log statement in the /etc/syslog-ng/syslog-ng.conf file(on the server). Here is an example:

source s_all {
file("/proc/kmsg" log_prefix("kernel: "));
In the example illustrated above, the syslog server can listen to both the 514 UDP and 54321 TCP ports.

Top of the page

2. WINDOWS clients

The log messages on a Micorsoft Windows can be viewed in the event viewer. To access it: right click on "My Computer" followed by "Manage".

computer management event viewer

Unfortunately, Windows by itself cannot forward the logs generated by the event viewer to a syslog server. A tool called Snare is required for this function. Snare developed by the Interselect Alliance is known to be one of the best free tools for this purpose. This an open source software released under the terms of the GNU Public Licence ( GPL).
The Snare agent is availabe for download on the Interselect Alliance Website.

Let's install the tool:
Start by setting the syslog-ng server address. Click on setup -> Audit Configuration.
In our example, the syslog server is

audit configuration

Then set which type of logs will be sent to the server. By default, there are already some preconfigured rules as you can see for yourself at the bottom of the screenshot above.
You can edit an existing condition or add a new one.

Create or Edit an Objective

On the Snare console, you can check the logs that will be sent to the server.

Snare Remote event logging for Windows

A very useful option of the Snare agent is that you can access it remotely via a web interface.
Click on setup -> Remote Control Configuration
Try to leave the default 6161 port. If you absolutely want or need to change it, make sure that your server does not already need to use this new port for any other application.

Snare Remote Control configuration

Now, we can access the Snare agent through a web browser:

Snare version version status page

Top of the page

3. CISCO clients

Here is what you have to configure on your Cisco switches or routers running an IOS software. As you will see for yourself, it is very easy.
Only the first command is mandatory:

logging syslog-ip-address
Tell the Cisco device where to send the logs. The logs can be sent to several syslog servers.
Below an example where the logs are sent to two log collectors.

Cisco_device#configure terminal

logging trap level
Tells the Cisco device which kind of alerts will be sent. The default trap level is informational. If this mode is selected or if no logging trap command is set, the informational or more critical messages like emergencies will be sent to the syslog server but the debugging messages will be filtered.
Be careful if you are using the logging trap debug command because a huge amount of log can be sent very quickly to the syslog server.
For more informations about the different types of log levels, please have a look at the first point, "LINUX client".
Below is an example where only critical alerts and emergencies messages are sent to the server.

Cisco_device#configure terminal
Cisco_device(config)#logging trap critical

logging trap local[0-7]
Sets the logging facility. Valid facilities are local0 through local7, default being local7..
It is interesting to notice that the logs will be sent with an unique facility. This is different from the linux or UNIX clients where the logs are sent with a lot of different facilities depending on which part of the system they are generated from. (see first point)
Below is an example where the Cisco device log messages are sent with a facility source of local5.

Cisco_device#configure terminal
Cisco_device(config)#logging facility local5

You can see the logging settings using the "show logging" command.
If you need more information on Cisco logging please visit the Cisco Website.

Top of the page

If you liked our tutorials, don't hesitate to support us and visit our sponsors!
Si vous aimez nos tutoriaux, n'hésitez pas à nous supporter et visiter nos sponsors!