syslog server setup

I am trying to setup syslog server on SUSE Linux

I need ESXi logs to send logs to syslog server.

can you please assist me?
linuxpersonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
Hi,

What exactly would you like help with? The setup of Syslog on SUSE? If yes, please provide your SUSE version.
Or the syslog config on VMWare, if this is the case please check out this to get started.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Syslog server, may not help your issue.

You would be better off, relocating the logs on your ESXi server, to a persistent datastore.

see my EE Article

Part 11: HOW TO: Suppress Configuration Issues System logs on host are stored on non-persistent storage
linuxpersonAuthor Commented:
I would like to modify syslog-ng.conf on SUSE to get logs from my ESXi server.  I have configured ESXi server to send logs to remoter server which is my suse linux.
I want to use suse linux syslog-ng.

Can you let me know how i would do this on suse linux?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

linuxpersonAuthor Commented:
i already did complete this part. I need help to configure syslog-ng on suse linux.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322
Zephyr ICTCloud ArchitectCommented:
What exactly do you want to know about syslog-ng? Did you go through the lavabit manual for syslog-ng?
linuxpersonAuthor Commented:
Here is my current configuration of syslog. i want to know how to configure syslog so that i can receive ESXi logs here

options { long_hostnames(off); sync(0); perm(0640); stats(3600); };

source src {
        #
        # include internal syslog-ng messages
        # note: the internal() soure is required!
        #
        internal();

        #
        # the default log socket for local logging:
        #
        unix-dgram("/dev/log");

        #
        # uncomment to process log messages from network:
        #
        udp(ip("0.0.0.0") port(514));
};

filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };

filter f_console    { level(warn) and facility(kern) and not filter(f_iptables)
                      or level(err) and not facility(authpriv); };

filter f_newsnotice { level(notice) and facility(news); };
filter f_newscrit   { level(crit)   and facility(news); };
filter f_newserr    { level(err)    and facility(news); };
filter f_news       { facility(news); };

filter f_mailinfo   { level(info)      and facility(mail); };
filter f_mailwarn   { level(warn)      and facility(mail); };
filter f_mailerr    { level(err, crit) and facility(mail); };
filter f_mail       { facility(mail); };

filter f_cron       { facility(cron); };

filter f_local      { facility(local0, local1, local2, local3,
                               local4, local5, local6, local7); };

filter f_acpid_full { match('^acpid:'); };
filter f_acpid      { level(emerg..notice) and match('^acpid:'); };

filter f_acpid_old  { match('^\[acpid\]:'); };

filter f_netmgm     { match('^NetworkManager:'); };

filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_warn       { level(warn, err, crit) and not filter(f_iptables); };
filter f_alert      { level(alert); };

destination console  { pipe("/dev/tty10"    owner(-1) group(-1) perm(-1)); };
log { source(src); filter(f_console); destination(console); };

destination xconsole { pipe("/dev/xconsole" owner(-1) group(-1) perm(-1)); };
log { source(src); filter(f_console); destination(xconsole); };

destination newscrit   { file("/var/log/news/news.crit"
                              owner(news) group(news)); };
log { source(src); filter(f_newscrit); destination(newscrit); };

destination newserr    { file("/var/log/news/news.err"
                              owner(news) group(news)); };
log { source(src); filter(f_newserr); destination(newserr); };

destination newsnotice { file("/var/log/news/news.notice"
                              owner(news) group(news)); };
log { source(src); filter(f_newsnotice); destination(newsnotice); };

destination mailinfo { file("/var/log/mail.info"); };
log { source(src); filter(f_mailinfo); destination(mailinfo); };

destination mailwarn { file("/var/log/mail.warn"); };
log { source(src); filter(f_mailwarn); destination(mailwarn); };

destination mailerr  { file("/var/log/mail.err" fsync(yes)); };
log { source(src); filter(f_mailerr);  destination(mailerr); };

destination mail { file("/var/log/mail"); };
log { source(src); filter(f_mail); destination(mail); };


destination acpid { file("/var/log/acpid"); };
destination null { };
log { source(src); filter(f_acpid); destination(acpid); flags(final); };
log { source(src); filter(f_acpid_full); destination(null); flags(final); };
log { source(src); filter(f_acpid_old); destination(acpid); flags(final); };

destination netmgm { file("/var/log/NetworkManager"); };
log { source(src); filter(f_netmgm); destination(netmgm); flags(final); };

destination localmessages { file("/var/log/localmessages"); };
log { source(src); filter(f_local); destination(localmessages); };

destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

destination firewall { file("/var/log/firewall"); };
log { source(src); filter(f_iptables); destination(firewall); };

destination warn { file("/var/log/warn" fsync(yes)); };
log { source(src); filter(f_warn); destination(warn); };
linuxpersonAuthor Commented:
Shutting down syslog services                                                                                                                     done
Starting syslog servicessyntax error at 74
\startproc:  exit status of parent of /sbin/syslog-ng: 1
                                                                                                                                                  failed


 45 source src_vs06 {
 46         #
 47         # include internal syslog-ng messages
 48         # note: the internal() soure is required!
 49         #
 50         #internal();
 51
 52         #
 53         # the default log socket for local logging:
 54         #
 55         #unix-dgram("/dev/log");
 56
 57         #
 58         # uncomment to process log messages from network:
 59         #
 60         udp(ip("ip_of_esxi_server") port(514));
 61 };
 62
 63
 64 destination d_vs06
 65 {
 66   file("/var/log/$HOST/$YEAR/$MONTH/$DAY/$FACILITY.log" \
 67     owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
 68
 69   # This seperated by severity too.
 70   # file("/var/log/$HOST/$YEAR/$MONTH/$DAY/$FACILITY-$PRIORITY.log" \
 71   #   owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes));
 72 };
 73
 74 log { source(src_vs06); desitnation(d_vs06); }
Zephyr ICTCloud ArchitectCommented:
Try it like this:

log { source(src_vs06); desitnation(d_vs06); };

Open in new window


Missing a ; at the end I think.
linuxpersonAuthor Commented:
same issue

what is source here?

Shutting down syslog services                                                                                                                     done
Starting syslog servicessyntax error at 74
\startproc:  exit status of parent of /sbin/syslog-ng: 1
                                                                                                                                                  failed
linuxpersonAuthor Commented:
I've tried this based on https://www.novell.com/coolsolutions/feature/18044.html

I am getting error at line 66.

Shutting down syslog services                                                                                                                     done
Starting syslog servicessyntax error at 66
startproc:  exit status of parent of /sbin/syslog-ng: 1
                                                                                                                                                  failed




 45 source src {
 46         #
 47         # include internal syslog-ng messages
 48         # note: the internal() soure is required!
 49         #
 50         internal();
 51
 52         #
 53         # the default log socket for local logging:
 54         #
 55         unix-dgram("/dev/log");
 56
 57         #
 58         # uncomment to process log messages from network:
 59         #
 60         udp(ip("0.0.0.0") port(514));
 61 };
 62
 63 # this is for separating out network hosts into individual log files.
 64 destination std {
 65         file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
 66                 owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(y\es)
 67         );
 68 };
 69
 70 log {
 71         source(src);
 72         destination(std);
 73 };
linuxpersonAuthor Commented:
i removed \ between "y" and "es"

dirs(y\es)

I am restart the service now.  I am still not receiving any logs from ESXi
Zephyr ICTCloud ArchitectCommented:
Is there a firewall running on the syslog server? try to telnet from another client to the udp port of the syslog server to see if you can access it... Does it work for other apps or are there none?
linuxpersonAuthor Commented:
destination std {
        file ("/var/log/HOSTS/$YEAR-$MONTH/$HOST/$FACILITY-$YEAR-$MONTH-$DAY"
                owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)
        );
};


I am getting IP address folder under /var/log/2015-13/

How do i get hostname instead of IP address?
linuxpersonAuthor Commented:
it was DNS issue.

I fixed the DNS.

Thanks everyone.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
linuxpersonAuthor Commented:
found answer myself
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.