Home Linux Community Community Blogs General Linux Centralized logging with syslong-ng over stunnel

Centralized logging with syslong-ng over stunnel

Installing syslog-ng and stunnel

Login to the client and the server, download syslog-ng and stunnel and install them:

[root@host]# yum install -y openssl-devel glibc gcc glib2
[root@host]# wget
[root@host]# lynx
[root@host]# mkdir -p /usr/local/var/run/stunnel/
[root@host]# cd /usr/src
[root@host]# tar zxfv stunnel-4.26.tar.gz
[root@host]# cd stunnel-4.26
[root@host]# ./configure
[root@host]# make
[root@host]# make install
[root@host]# cd /usr/src/SYSLOG-NG
[root@host]# rpm -Uvh libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm libevtlog0-0.2.8-1.i386.rpm syslog-ng-2.1.3-1.i386.rpm

Creating the certificates

After the installation is complete login to your CA server and create the server and the client certificate. If you have more than one client that will log to the server you have to generate new client certificate:

[root@host]# cd /etc/pki/tls/certs
[root@host]# make syslog-ng-server.pem
[root@host]# make syslog-ng-client.pem

Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients.
Place every client's syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server's special syslog-ng-client.pem.

note:It is very important that you put the server's short name when you're asked about the Common Name !

Creating the configuration files

Create the stunnel.conf configuration file in /etc/stunnel on the client:

[root@host]# vi /etc/stunnel/stunnel.conf

#foreground = yes
#debug = 7
client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
accept =
connect =

For syslog-ng.conf you can start with:

[root@host]# vi /etc/syslog-ng/syslog-ng.conf

options {long_hostnames(off);
source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();};
destination dest {file("/var/log/messages");};
destination stunnel {tcp("" port(514));};
log {source(src);destination(dest);};
log {source(src);destination(stunnel);};

Similarly stunnel.conf on the server can look like this:

[root@host]# vi /etc/stunnel/stunnel.conf

#foreground = yes
debug = 7
cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
accept =
connect =

An example of syslog-ng.conf on the server:

[root@host]# vi /etc/syslog-ng/syslog-ng.conf

options { long_hostnames(off); sync(0); keep_hostname(yes); chain_hostnames(no); };
source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();};
source stunnel {tcp(ip("") port(514) max-connections(500));};
destination remoteclient {file("/var/backup/CentralizedLogging/remoteclients");};
destination dest {file("/var/log/messages");};
log {source(src); destination(dest);};
log {source(stunnel); destination(remoteclient);};

Starting syslog-ng and stunnel

Make sure syslog-ng is not running (it automatically start once you install it from the rpm's)

[root@host]# killall syslog-ng

Start syslong-ng BEFORE stunnel by running:

[root@host]# syslog-ng -f /etc/syslog-ng/syslog-ng.conf

Make sure it's running by checking the logs:

[root@host]# tail -f /var/log/messages

Start stunnel by running:

[root@host]# stunnel /etc/stunnel/stunnel.conf

Make sure stunnel is running by checking the logs:

[root@host]# tail -f /var/log/messages

If stunnel is not running you can uncomment the debug line in the stunnel.conf file, start stunnel again and check the logs for detailed description of the problem.

Final steps

Restart stunnel on the server for it to re-read the certificates file and accept the newly added clients:

[root@host]# killall stunnel stunnel /etc/stunnel/stunnel.conf

Make sure syslog-ng does not start (on client) through the init process:

[root@host]# chkconfig --level 2345 syslog-ng off

Edit /etc/rc.d/rc.local (on client) and add syslog-ng and stunnel:

[root@host]# vi /etc/rc.d/rc.local

echo "Starting syslog-ng ..."
syslog-ng -f /etc/syslog-ng/syslog-ng.conf
echo "Starting stunnel ..."
stunnel /etc/stunnel/stunnel.conf

To test the remote logging run on the client:

[root@host]# logger "Testing remote logging"

The message should appear on bu3 in /var/backup/CentralizedLogging/remoteclients

One alternative to syslog-ng is Splunk. You can always use Splunk along syslog-ng for indexing purpose



Subscribe to Comments Feed

Upcoming Linux Foundation Courses

  1. LFD320 Linux Kernel Internals and Debugging
    16 Mar » 20 Mar - Atlanta - GA
  2. LFS220 Linux System Administration
    16 Mar » 19 Mar - Chicago +VIRTUAL
  3. LFS426 Linux Performance Tuning
    16 Mar » 19 Mar - Virtual

View All Upcoming Courses

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board