Syslog is a great standard for handling logs, especially over a network. So how do you set it up on Debian? Sending logs over a network isn't rocket science.

Step 1 - install syslog-ng

First, run "sudo apt-get update" and "sudo apt-get upgrade" in order to update your packages. Then install syslog-ng with "sudo apt-get install syslog-ng". Repeat this on all systems which should use syslog.

Step 2 - configure the clients

Open up "/etc/syslog-ng/syslog-ng.conf", scroll down to the bottom and write:

destination d_tcp { tcp("" port(1234) localport(999)); };
log { source(s_src); destination(d_tcp); };

The first line defines a destination called d_tcp, which is a TCP connection to on port 1234 from the local port 999. You should make sure that the IP is the IP of your syslog server. You may need to change the ports, depending on your configuration.

The second line tells syslog to send everything from s_scr (which is already defines, and has everything we need) to d_tcp. Basically, everything is sent to your server.

Do this for all clients.

Step 3- configure the server

Open up "/etc/syslog-ng/syslog-ng.conf", scroll down to the bottom and write:

source s_net { tcp(ip( port(1234)); };

destination collector {
owner(root) group(root) perm(0600) dir_perm(0700) create_dirs(yes)

log { source(s_net); destination(collector); };

The first line defines a source, which listens on TCP port 1234 and IP Modify this to match your environment.

Collector is a destination which, just like d_tcp, defines where stuff goes. Here we want to write a file and automatically create folders depending on time, host and what type of log entry. The $-sign in the path means it's a variable.

And, just like before, the last line makes sure everything we collect from s_net goes to the proper destination.

If everything works as it should, you'll see a folder HOSTS in /var/log, which in turn contains one folder per host that is sending logs.