Most operating systems include a syslog receiver, but some configuration steps may be required to turn it on. Consult the documentation for your operating system or management software for specific details of syslog receiver configuration.
Most Linux distributions include a bundled sysklogd(8) daemon that can act as a syslog receiver, but the remote receive capability is disabled by default. To enable Linux to receive syslog traffic, edit the /etc/sysconfig/syslog configuration file such that the -r option is included (enables remote logging):
SYSLOGD_OPTIONS="-r -m 0"
and then restart the logging service:
# /etc/init.d/syslog stop # /etc/init.d/syslog start
Some Linux distributions have an ipfilter packet filter that will reject syslog UDP packets by default, and the filter must be modified to permit them. On these distributions, use a command similar to the following to add an INPUT rule to accept syslog UDP packets:
# iptables -I INPUT 1 -p udp --sport 514 --dport 514 -j ACCEPT
By default, Linux syslogd records messages to /var/log/messages and a test alert would be recorded as follows:
Aug 12 22:03:15 192.168.1.105 poptart ak: SUNW-MSG-ID: AK-8000-LM, \ TYPE: alert, VER: 1, SEVERITY: Minor EVENT-TIME: Wed Aug 12 22:03:14 2009 \ PLATFORM: i86pc, CSN: 12345678, HOSTNAME: poptart SOURCE: jsui.3775, REV: 1.0 \ EVENT-ID: 9d40db07-8078-4b21-e64e-86e5cac90912 \ DESC: A test alert has been posted. AUTO-RESPONSE: None. IMPACT: None. \ REC-ACTION: None.