Most operating systems include a syslog receiver, but some configuration steps may be required to turn it on. Some examples for common operating systems are shown below. Consult the documentation for your operating system or management software for specific details of syslog receiver configuration.
Solaris includes a bundled syslogd(1M) that can act as a syslog receiver, but the remote receive capability is disabled by default. To enable Solaris to receive syslog traffic, use svccfg and svcadm to modify the syslog settings as follows:
# svccfg -s system/system-log setprop config/log_from_remote = true # svcadm refresh system/system-log
Solaris syslogd only understands the Classic Syslog protocol. Refer to the Solaris syslog.conf(4) man page for information on how to configure filtering and logging of the received messages.
By default, Solaris syslogd records messages to /var/adm/messages and a test alert would be recorded as follows:
Aug 14 21:34:22 poptart.sf.fishpong.com poptart ak: SUNW-MSG-ID: AK-8000-LM, \ TYPE: alert, VER: 1, SEVERITY: Minor\nEVENT-TIME: Fri Aug 14 21:34:22 2009\n\ PLATFORM: i86pc, CSN: 12345678, HOSTNAME: poptart\n\ SOURCE: jsui.359, REV: 1.0\n\ EVENT-ID: 92dfeb39-6e15-e2d5-a7d9-dc3e221becea\n\ DESC: A test alert has been posted.\n\ AUTO-RESPONSE: None.\nIMPACT: None.\nREC-ACTION: None.
Most Linux distributions include a bundled sysklogd(8) daemon that can act as a syslog receiver, but the remote receive capability is disabled by default. To enable Linux to receive syslog traffic, edit the /etc/sysconfig/syslog configuration file such that the -r option is included (enables remote logging):
SYSLOGD_OPTIONS="-r -m 0"
and then restart the logging service:
# /etc/init.d/syslog stop # /etc/init.d/syslog start
Some Linux distributions have an ipfilter packet filter that will reject syslog UDP packets by default, and the filter must be modified to permit them. On these distributions, use a command similar to the following to add an INPUT rule to accept syslog UDP packets:
# iptables -I INPUT 1 -p udp --sport 514 --dport 514 -j ACCEPT
By default, Linux syslogd records messages to /var/log/messages and a test alert would be recorded as follows:
Aug 12 22:03:15 192.168.1.105 poptart ak: SUNW-MSG-ID: AK-8000-LM, \ TYPE: alert, VER: 1, SEVERITY: Minor EVENT-TIME: Wed Aug 12 22:03:14 2009 \ PLATFORM: i86pc, CSN: 12345678, HOSTNAME: poptart SOURCE: jsui.3775, REV: 1.0 \ EVENT-ID: 9d40db07-8078-4b21-e64e-86e5cac90912 \ DESC: A test alert has been posted. AUTO-RESPONSE: None. IMPACT: None. \ REC-ACTION: None.