Packetwatch Research

Syslog-ng 2 in Red Hat Enterprise Linux 4

Last modified: Aug. 3, 2008

Contents
1 - Summary
2 - Dependencies
3 - Syslog-ng installation
4 - Service configuration
5 - Service check

1 - Summary

This little guide will show you how to install syslog-ng 2 in Red Hat
Enterprise Linux 4. For this guide to work you will need to be running Red Hat
Enterprise Linux 4.

2 - Dependencies

You will need the gcc package installed.
# rpm -qa | grep gcc
gcc-3.4.3-9.EL4
libgcc-3.4.3-9.EL4
gcc-c++-3.4.3-9.EL4
gcc-java-3.4.3-9.EL4
gcc-g77-3.4.3-9.EL4

Eventlog is a dependency that is needed. Navigate your web browser to
http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/ and
download the latest version, then install it.
# tar -zxvf eventlog-0.2.7.tar.gz
# cd eventlog-0.2.7
# ./configure
# make
# sudo make install
# sudo make clean

3 - Syslog-ng installation

Navigate your web browser to the following link and download the latest
version, then install it.

http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/

# tar -zxvf syslog-ng-2.0.9.tar.gz
# cd syslog-ng-2.0.9
# export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/lib/pkgconfig
# ./configure
# make
# sudo make install
# sudo make clean

4 - Service configuration

Check to see what runlevels syslog starts up on.
# sudo /sbin/chkconfig --list | grep syslog
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Disable syslog from starting at boot time.
# sudo /sbin/chkconfig syslog off

Copy the sample Red Hat Enterprise Linux configuration file and logrote file.
# cd ~
# cd syslog-ng-2.0.9/contrib/rhel-packaging
# strings /usr/local/sbin/syslog-ng | grep syslog-ng.conf
-f , --cfgfile= Set config file name, default=/usr/local/etc/syslog-ng.conf
/usr/local/etc/syslog-ng.conf
# sudo cp syslog-ng.conf /usr/local/etc/
# sudo cp syslog-ng.logrotate /etc/logrotate.d/syslog-ng

Copy the init.d script to the correct location and change the file permissions
on the file to be executable. Edit it to have the following.

binary="/usr/local/sbin/syslog-ng"

# sudo cp syslog-ng.init /etc/rc.d/init.d/syslog-ng
# sudo chmod ugo+x /etc/rc.d/init.d/syslog-ng
# sudo vi /etc/rc.d/init.d/syslog-ng

Add the syslog-ng service, so it will start at boot time. Also, check to make
sure that syslog-ng starts on the same runlevels as syslog used to.
# sudo /sbin/chkconfig --add syslog-ng
# sudo /sbin/chkconfig --list | grep syslog-ng
syslog-ng 0:off 1:off 2:on 3:on 4:on 5:on 6:off

You can now create your own syslog-ng.conf file if you like. You can use the
following for your source.

source local { internal(); file("/proc/kmsg" log_prefix("kernel: ")); unix-dgram("/dev/log"); };

# sudo cp /usr/local/etc/syslog-ng.conf /usr/local/etc/syslog-ng.conf.original
# sudo vi /usr/local/etc/syslog-ng.conf

You can now modify the logrotate file for syslog-ng.
# sudo vi /etc/logrotate.d/syslog-ng

Stop the syslog service, and start the syslog-ng service.
# sudo /sbin/service syslog stop
Shutting down kernel logger: [ OK ]
Shutting down system logger: [ OK ]
# sudo /sbin/service syslog-ng start
Starting syslog-ng: [ OK ]

5 - Service check

Reboot your computer. Log in like normal and check to see that the syslog
service isn't running and the syslog-ng service is running. That's it, now you
have syslog-ng 2 running on Red Hat Enterprise Linux 4.
# sudo /sbin/shutdown -r now
# sudo /sbin/service syslog status
syslogd is stopped
klogd is stopped
# sudo /sbin/service syslog-ng status
syslog-ng (pid 1919) is running...

Last modified: Wed Dec 31 19:00:00 1969 EST
Packetwatch Research 2002-2008.