Edit the rsyslog.conf file to allow the submission of system logs from clients.
Use your favorite editor to make the following changes to the rsyslog.conf file(I prefer vim):
sudo vim /etc/rsyslog.conf
Uncomment the following lines:
$ModLoad imudp $UDPServerRun 514
At the bottom of the file include the following entry:
$template TmplAuth,
“/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
Change the permissions of the /var/log directory to allow syslog the ability create/change sub-directories and files.
cd /var && sudo chown syslog:syslog log
Save the changes made to the rsyslog.conf file and restart the rsyslog service.
sudo service rsyslog restart
For all *nix-based clients you will need to edit the rsyslog.conf file or syslog.conf file and add the following line(x.x.x.x being the ip address of your syslog server):
Ubuntu/Debian: sudo vim /etc/rsyslog.conf
CentOS/Fedora/RHEL: sudo vim /etc/syslog.conf
FreeBSD/BSD variants: sudo vim /etc/syslog.conf
Uncomment the following line:
Ubuntu/Debian: sudo service rsyslog restart
CentOS/Fedora/RHEL: sudo /etc/init.d/syslog restart
FreeBSD/BSD variants: sudo /etc/rc.d/syslog restart
On your Syslog server check the “/var/log” directory to see if client log directories have been created.
cd /var/log && ls
Unfortunately, Windows-based systems do not natively play nice with Syslog servers. However, you can install an agent-based service called “Snare” to manage and export log files to your Syslog server.
SNARE: http://sourceforge.net/projects/snare/
SNARE installation and configuration: http://winsrvtuts.com/2011/12/configure-windows-for-syslog-using-snare/