Distributed Systems Administration Utilities User's Guide, Linux, March 2009
For a standalone system, the wizard first displays introductory paragraphs explaining log
consolidation and then asks:
Do you want to configure log consolidation? (y/n) [y]:
Answer yes (y) or press Enter. The next question is:
You can configure this system hostname as either a:
- Consolidation server
- Client that forwards logs to a remote consolidation server
Do you want to configure hostname as a Consolidation
Server? (y/n) [y]:
Answer yes (y). The wizard then prompts:
Enter the fully qualified directory where the consolidated
logs should be stored []:
It is typically best to select a dedicated filesystem for the consolidated logs. For this example, a
filesystem named “/clog” is used.
Next, the wizard prompts for the client’s transport:
You can choose to have the clients forward logs to this
consolidation server using either the UDP protocol or the TCP protocol (recommended).
Do you want to use the TCP protocol? (y/n) [y]:
Selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients.
Whether the log consolidator allows TCP log messages exclusively, depends on whether the
system is consolidating its own local syslog file. See below for details.
You need to choose a free port on this system for receiving logs. The port chosen
should be free on all cluster nodes.
Note: When configuring log consolidation on the clients,
this port will need to be specified.
Enter the TCP port to be used for receiving logs [1776]:
There is no reserved port for the TCP transport of syslog-ng. Any port that is not in use can
be chosen. HP recommends that the administrator choose a port from the reserved range, that
is, ports below 1024. Only privileged processes on a remote system can connect to privileged
ports. This provides only a weak security guarantee because it implies that the administrator
trusts the remote system. See the ssh section in the log forwarding client section for establishing
stronger security guarantees “Manually Configuring a Standalone Log Forwarding Client”
(page 69).
The /etc/services file documents the well-known reserved ports. When choosing a reserved
port, the wizard will check both /etc/services and use “netstat -an” to check that the
port is not in use.
Note that syslogd uses UDP port 514. TCP port 514 is reserved for use by remsh. remsh is not
a secure protocol and is disabled at many sites. If remsh has been disabled on the consolidator,
you could use TCP port 514. This has the advantage that it is a privileged port and it is the same
as the UDP port number so it is easy to remember and manage. However, if the administrator
changes the system to re-enable the use of remsh, syslog-ng would have to be reconfigured
to use a new port and all the client systems that forward to this system would have to be updated.
Unlike UDP, TCP is a connection-oriented protocol. Each log forwarding client using TCP will
have a connection to the log consolidation server. In order to avoid denial of service attacks, the
default number of TCP connections accepted by syslog-ng is limited to 10 connections. For
larger numbers of clients, edit the consolidation server’s /etc/syslog-ng.conf.server file
on Red Hat or /etc/syslog-ng/syslog-ng.conf.server file on SLES. Find the TCP source
line in the file:
source s_syslog_tcp { tcp(port(tcp_port) keep-alive(yes));};
and add a max-connections attribute as follows:
3.3 Log Consolidation Configuration 51