HP Mini UX System Adstration manual 47

Do you want to configure log consolidation? (y/n) [y]:

Answer yes (y) or press Enter. The next question is:

You can configure this system hostname as either a:

-Consolidation server

-Client that forwards logs to a remote consolidation server Do you want to configure hostname as a Consolidation

Server? (y/n) [y]:

Answer yes (y). The wizard then prompts:

Enter the fully qualified directory where the consolidated logs should be stored []:

It is typically best to select a dedicated filesystem for the consolidated logs. Since consolidated logs like syslog can grow rapidly, HP also recommends that the filesystem be configured for “largefiles.” For this example, a filesystem named “/clog” is used.

Next, the wizard prompts for the client’s transport:

You can choose to have the clients forward logs to this

consolidation server using either the UDP protocol or the TCP protocol (recommended).

Do you want to use the TCP protocol? (y/n) [y]:

Selecting TCP does not necessarily preclude the use of UDP forwarded log messages by clients. Whether the log consolidator allows TCP log messages exclusively, depends on whether the system is consolidating its own local syslog file. See below for details.

You need to choose a free port on this system for receiving logs. The port chosen should be free on all cluster nodes.

Note: When configuring log consolidation on the clients, this port will need to be specified.

Enter the TCP port to be used for receiving logs [1776]:

There is no reserved port for the TCP transport of syslog-ng. Any port that is not in use can be chosen. HP recommends that the administrator choose a port from the reserved range, that is, ports below 1024. Only privileged processes on a remote system can connect to privileged ports. This provides only a weak security guarantee because it implies that the administrator trusts the remote system. See the ssh section in the log forwarding client section for establishing stronger security guarantees “Manually Configuring a Standalone Log Forwarding Client” (page 66).

The /etc/services file documents the well-known reserved ports. When choosing a reserved port, the wizard will check both /etc/services and use “netstat -an” to check that the port is not in use.

Note that syslogd uses UDP port 514. TCP port 514 is reserved for use by remsh. remsh is not a secure protocol and is disabled at many sites. If remsh has been disabled on the consolidator, you could use TCP port 514. This has the advantage that it is a privileged port and it is the same as the UDP port number so it is easy to remember and manage. However, if the administrator changes the system to re-enable the use of remsh, syslog-ngwould have to be reconfigured to use a new port and all the client systems that forward to this system would have to be updated.

Unlike UDP, TCP is a connection-oriented protocol. Each log forwarding client using TCP will have a connection to the log consolidation server. In order to avoid denial of service attacks, the default number of TCP connections accepted by syslog-ngis limited to 10 connections. For larger numbers of clients, edit the consolidation server’s /etc/syslog-ng.conf.serverfile. Find the TCP source line in the file:

source s_syslog_tcp { tcp(port(tcp_port) keep-alive(yes));}; and add a max-connections attribute as follows:

source s_syslog_tcp { tcp(port(tcp_port) keep-alive(yes)

max-connections(N)); };

where N is the expected number of clients.