Author: Brian Warshawsky
VIII. Thou shalt not lose system logs when a server dies
When that impending disaster finally hits and the machine falls dead, it can be handy to have a copy of the log files stored safely somewhere else. Then you can immediately review the logs to see what you’re dealing with without having to spend time trying to pull the logs off the server, or worse yet, rebuilding the server without knowing what caused it to crash. The functionality to do this is already built into the Linux kernel, and it is easy to implement.
The syslog daemon has several options you can specify. Among the most useful is the remote logging feature. To enable it on what will be your remote syslog server, go to
SYSLOGD_OPTIONS="-m 0"
and modify it so that it reads
SYSLOGD_OPTIONS="-m 0 -r"
Then you must find and modify the same line in
#
Once syslog restarts, your machine will be listening on port 514 for syslog messages from other hosts.
Now all you need to do is configure those hosts to broadcast their syslogs to the syslog server. To do so, open the
*.* xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of the remote syslog server you just configured. Once you’ve done this, restart syslog and check the remote syslog server. There should be an entry at the bottom of its log telling you that syslog has started on the remote machine.
You can configure as many hosts as you want to communicate with the syslog server. The best part is that many devices, such as firewalls, wireless access points, printers, switches, and spam blockers, all allow for remote syslog. This technique lets you keep their log files in one central location.
The commandments so far:
I. Thou shalt make regular and complete backups
II. Thou shalt establish absolute trust in thy servers
III. Thou shalt be the first to know when something goes down
IV. Thou shalt keep server logs on everything
V. Thou shalt document complete and effective policies and procedures
VI. Thou shalt know what cable goes where
VII. Thou shalt use encryption for insecure services
VIII. Thou shalt not lose system logs when a server dies