In the process of building out my network intelligence system I need to have a central location to collect system and event logs on my network. Since my ReadyNAS has Linux under the hood I figured what better place (since it has plenty of space to store LOTS of logs). Here is what I did.
First, you need to have a a ReadyNAS with OS6 on it. In my case I have one of the older ReadyNAS Pro 6 boxes which only officially support the older 4.x OS. But, there is a very easy way to upgrade to OS6 and it has been very reliable for me. Down side is that it will require wiping out all data on your NAS and reformatting (Backup, Backup, BACKUP!). I believe it’s well worth the hassle of backing up and restoring data to get this upgrade. It will void your warranty (or make it much more difficult to get through tech support), but it appears that Netgear has been reasonably responsive in adding fixes for the unsupported legacy hardware. Once my NAS was converted updates have been easy and automatic. Anyways, here is the info I followed to convert: ReadyNAS Forums
Now to setup syslog (rsyslog) to receive incoming logs on your network do the following:
- Log into your NAS and enable SSH
- Go to System -> Settings -> Service -> SSH
- Create a new folder to store/share your logs
- Go to Shares -> Choose a Volume (or create one)
- Create a new Folder (call it logs?) and set permissions as you like
- Create a new group
- Go to Accounts -> Groups -> New Group
- Create a new Group (call it logs?) and set permissions as you like
- Go back to your new “logs” share folder and set permissions such that the “logs” group has read/write perms
(These are very liberal permissions and basic groups/users, you can go much more restrictive, which I would recommend once you’ve got the basics working) - Now ssh to your ReadyNAS as root using the same password as your web based admin account
- Install rsyslog
- apt-get install rsyslog
- Configure rsyslog
- vim.tiny /etc/rsyslog.conf
If you don’t know vim go read-up first, you need to know how to insert, delete, and save - Change the following lines:
Remove the # signs in front of these lines at the top:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
Add the # sign to these lines:
#*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
#kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
#mail.* -/var/log/mail.log
#user.* -/var/log/user.log
#mail.info -/var/log/mail.info
#mail.warn -/var/log/mail.warn
#mail.err /var/log/mail.err
#news.crit /var/log/news/news.crit
#news.err /var/log/news/news.err
#news.notice -/var/log/news/news.notice
#*.=debug;\
# auth,authpriv.none;\
# news.none;mail.none -/var/log/debug
#*.=info;*.=notice;*.=warn;\
# auth,authpriv.none;\
# cron,daemon.none;\
# mail,news.none -/var/log/messages
And add these lines to the bottom:
$template RemoteLog,"/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log"
*.* ?RemoteLog
- Be sure to change the /data/logs part to match with your volume and folder you created in steps 2 above
- vim.tiny /etc/rsyslog.conf
- Now enable and restart rsyslog
- systemctl restart rsyslog.service
- systemctl enable rsyslog.service
- Check to make sure rsyslog started happily
- systemctl status rsyslog.service
- tailf /data/logs/2015/03/127.0.0.1/syslog.log
- You should see something like this “rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.11″ x-pid=”24127″ x-info=”http://www.rsyslog.com”] start”
- You should see something like this “rsyslogd: [origin software=”rsyslogd” swVersion=”5.8.11″ x-pid=”24127″ x-info=”http://www.rsyslog.com”] start”
- Log out of SSH and disable it if you don’t need it anymore.
That should cover the basics. By default the ReadyNAS will log as from an IP of 127.0.0.1, all other hosts will log from their IPs on your network. There is of course a lot more custom configuration you can do. This is just the basics. You will also be able to view your logs from the shared volume you created.
I commented out a lot of lines above to avoid duplicate logging in the /var/log directory as that’s only about 4GB in size. You can always re-enable them and change there path if you choose.
The double quotes on this line have been changed by the website to the correct characters, so this will not work.
$template RemoteLog,”/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log”
Should be
$template RemoteLog,”/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log”
The same replacement happened to my comment, but I expect you understand the problem 😎
Ah, good point, didn’t really call that out, subtle change in the type of quotes. Need to figure out how to work around that in wordpress.
Maybe this:
$template RemoteLog,"/data/logs/%$YEAR%/%$MONTH%/%fromhost-ip%/syslog.log"
Ok, took some messing around (WordPress visual editor not so friendly to code tags), but quotes should now be fixed.