How to install a Syslog server on a router

In this page I describe how to install an additional Syslog server on a router (Asus RT-AC56U) - we use an Entware package, so please refer to this page on how to install Entware on a router.
Let's start with assumption that there are some network devices, such as VOIP phones, that do not have an internal LOG, but rely on a remote Syslog server. On a router such as the Asus RT-AC56U, an additional Syslog server can be installed so that it can be used with any network device. Note that we install an additional "syslog", as we do not touch the router's "syslog" server. So we will use the Entware package called "syslog-ng".

How to install "syslog-ng" package

In order to install the "syslog-ng" daemon with the Entware packages, we need to execute the following command :
opkg install syslog-ng
The above-mentioned package contains several files, the most important are the "/opt/sbin/syslog-ng" daemon, the "/opt/etc/syslog-ng.conf" configuration file and the start/stop script "/opt/etc/init.d/S01syslog-ng". We create a backup copy of the configuration file "/opt/etc/syslog-ng.conf".
The following is the sample content of the above-mentioned configuration file "/opt/etc/syslog-ng.conf" :

@version:3.9

options {
    chain_hostnames(no);
    create_dirs(yes);
    flush_lines(0);
    keep_hostname(yes);
    log_fifo_size(256);
    log_msg_size(1024);
    stats_freq(0);
    flush_lines(0);
    use_fqdn(no);
};

source src {
    internal();
    unix-dgram("/dev/log");
};

source net {
    udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
    file("/opt/var/log/messages");
};

log {
    source(src);
    source(net);
        source(kernel);
    destination(messages);
};

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

Please refer to this page for further details about configuration file "syslog-ng.conf". The above example is mostly used to replace the router's "syslog" daemon, while we need an additional "syslog", without having to touch the router's native "syslog". Therefore we will create another configuration file.

How to setup the configuration file of "syslog-ng" daemon

The following is another "syslog-ng.conf" configuration file that let us have a remote LOG server for a Cisco managed switch.

@version:3.9

options {
    chain_hostnames(no);
    create_dirs(yes);
    flush_lines(0);
    keep_hostname(yes);
    log_fifo_size(256);
    log_msg_size(1024);
    stats_freq(0);
    flush_lines(0);
    use_fqdn(no);
## additional options
    dir-owner(nobody);
    dir-group(nobody);
    owner(nobody);
    group(nobody);
    perm(0666);
    keep-timestamp(yes);
    time-zone("Europe/Rome");
};

source src_cisco {
        udp(ip(0.0.0.0) port(25000));
};

destination log_cisco {
        file("/opt/var/log/cisco.log");
};

log {
    source(src_cisco);
    destination(log_cisco);
};

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

In the above-mentioned configuration file we have passed parameters to the "syslog-ng" daemon in order to "listen" to a router port and all that arrives on that port we write it to a LOG file. Specifically we have:

• in section "source" we have setup as source the same IP address of the router, protocol UDP, and port 25000;
• in section "destination" we have setup as destination the file "/opt/var/log/cisco.log";
• in section "log" we have setup as connection the LOG file specified by section "source" and section "destination";

Inside section "options" the additional options dedicated to the "syslog-ng" daemon are included, specifically:

• for options "chain_hostnames(no)" and "keep_hostname(yes)" please refer to following website;
• with option "create_dirs(yes)" we enable the creation of directories for the destination files;
• with option "flush_lines(0)" the daemon will act on every message received without creating any type of buffer;
• with option  "log_fifo_size(256)" we set the number of messages to be stored on the output queue;
• with option "log_msg_size(1024)" we set the maximum message length in bytes;
• with option  "stats_freq(0)" we set the daemon to collect statistics only between the "source" and the "destination";
• we use option "use_fqdn(no)" as we have used the option "keep_hostname(yes)";
• with options "dir-owner(nobody)" and "dir-group(nobody)" we set the default owner and group for the new created folders;
• with options  "owner(nobody)" and "group(nobody)" we set the default owner and group of destination files;
• with option  "perm(0666)" we set the access permissions of the destination files;
• with option  "keep-timestamp(yes)" we set the daemon to accept the date values received from the sender;
• with option  "time-zone("Europe/Rome")" we set the daemon to convert the date values received from the sender according to the provided timezone.

In the above configuration file, the identifiers "src_cisco" and "log_cisco" are unique and must be used for a single sending device. Obviously we can manage multiple sending devices, using multiple identifiers, as in the following sample configuration file in which we have included, in addition to the identifiers for the above-mentioned Cisco switch, also the identifiers for two VOIP phones:

@version:3.9

options {
    chain_hostnames(no);
    create_dirs(yes);
    flush_lines(0);
    keep_hostname(yes);
    log_fifo_size(256);
    log_msg_size(1024);
    stats_freq(0);
    flush_lines(0);
    use_fqdn(no);
## additional options
    dir-owner(nobody);
    dir-group(nobody);
    owner(nobody);
    group(nobody);
    perm(0666);
    keep-timestamp(yes);
    time-zone("Europe/Rome");
};

source src_cisco {
        udp(ip(0.0.0.0) port(25000));
};

destination log_cisco {
        file("/opt/var/log/cisco.log");
};

log {
    source(src_cisco);
    destination(log_cisco);
};

source src_voip1 {
        udp(ip(0.0.0.0) port(25005));
};

destination log_voip1 {
        file("/opt/var/log/voip1.log");
};

log {
    source(src_voip1);
    destination(log_voip1);
};

source src_voip2 {
        udp(ip(0.0.0.0) port(25010));
};

destination log_voip2 {
        file("/opt/var/log/voip2.log");
};

log {
    source(src_voip2);
    destination(log_voip2);
};

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

How to execute "syslog-ng" daemon

To execute the "syslog-ng" daemon, just run the command "/opt/etc/init.d/S01syslog-ng start".

How to configure the remote "syslog-ng" daemon on network devices

On network devices, simply go to the "syslog" tab, often called "Remote Log Servers" (or whatever), and set the IP address of the Router, where the "syslog-ng" daemon is installed, and the UDP port used in the configuration file of the "syslog-ng" daemon, inside the "source" section.

How to manage the LOG file created by "syslog-ng" daemon

Keep in mind that the LOG file created by the "syslog-ng" daemon can reach a considerable size. For a correct management of the LOG file, refer to the page "How to manage LOG files on a router" on this website, keeping in mind that the LOG file path is that one set on the "syslog-ng" daemon configuration file inside section "destination".