Section 19.3 Remote Logging

19.3 Remote Logging

The /etc/syslog.conf file can accept an action to send the message to another Linux or UNIX system for logging. This feature is why the host name is reflected in all logged messages. To do this, specify an action of an at-sign "@" followed by the remote system's host name thusly:

 *.warn;authpriv.notice;auth.notice   @secure.pentacorp.com 

In order for this to work, the destination system where the messages are to be received for logging must allow this. To allow this, the syslogd daemon of that system (secure.pentacorp.com in this example) must have been invoked with the -r flag. Without this -r flag, syslogd will silently discard the messages to avoid a Denial of Service attack where one could fill up its disk with bogus messages. (IP Chains or a firewall should be used to block UDP port 514 from unauthorized hosts to protect against this attack.) Your /etc/services file will need to list UDP port 514 as being the one for the syslog service, but this should be default in any Linux distribution.

If you want to change this so that system X sends messages to system Y and Y sends messages from both X and itself to Z, the syslogd daemon on Y must have both the -r and -h; the -h flag allows forwarding remote messages. Of course, you will need to restart the syslogd daemons after altering the /etc/syslog.conf files or invocation, typically via

 /etc/rc.d/init.d/syslog restart