Automates syslog forwarding configuration across multiple Linux servers via SSH.
Built to solve a real deployment problem: onboarding 30+ Linux servers across multiple distributions onto a centralised SIEM log server — without logging into each one manually.
Built during SOC operations to automate SIEM log onboarding across client Linux infrastructure. Standard mass deployment tools were not viable due to legacy systems in client environments, including RHEL 5, which required custom handling. The script was designed to detect the distribution automatically and apply the correct configuration regardless of age or version.
A single script that:
- SSHs into each target server
- Detects the Linux distribution automatically
- Writes the correct forwarding rule to the right config file for that distro
- Restarts the appropriate syslog service
- Verifies the service is running after restart
- Logs results for every host to a timestamped log file
| Distribution | Syslog Daemon | Config File |
|---|---|---|
| RHEL / CentOS 5–6 | syslog | /etc/syslog.conf |
| RHEL 7+ / CentOS 7+ / Fedora | rsyslog | /etc/rsyslog.conf |
| Debian / Ubuntu | rsyslog | /etc/rsyslog.conf |
| SUSE Enterprise Server 11 | syslog-ng | /etc/syslog-ng/syslog-ng.conf |
| SUSE (newer) | syslog-ng | /etc/syslog-ng/syslog-ng.conf |
| Unknown / fallback | syslog | /etc/syslog.conf |
pip install paramikoPython 3.7+
python syslogify.pyThe script will prompt for:
- SSH username
- Log server IP and port
- Target host IPs (comma-separated)
- Authentication method (SSH key or password)
Example session:
── Syslogify — Automated Syslog Deployment ──
SSH username: admin
Log server IP: 192.168.1.100
Log server port [514]:
Target hosts (comma-separated IPs): 10.0.0.1, 10.0.0.2, 10.0.0.3
Auth method — [1] SSH key [2] Password: 1
Path to private key [~/.ssh/id_rsa]:
Sudo password on remote hosts (leave blank if passwordless sudo):
SSH key authentication (recommended)
# Generate a key pair if you don't have one
ssh-keygen -t ed25519 -C "syslogify"
# Copy public key to each target server
ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@<host>Password authentication Supported for legacy environments. The sudo password is passed via stdin rather than embedded in the command string to avoid exposure in the remote process list.
Each run generates a timestamped log file:
syslogify_20260314_143022.log
And prints a deployment summary:
── Deployment Summary ──
Successful : 28 host(s): 10.0.0.1, 10.0.0.2 ...
Failed : 2 host(s): 10.0.0.15, 10.0.0.23
Full log saved to: syslogify_20260314_143022.log
- SSH key auth is strongly preferred over password auth for production deployments
- For production environments, create a dedicated service account with passwordless sudo scoped only to syslog restart commands:
deploy ALL=(ALL) NOPASSWD: /bin/systemctl restart rsyslog, /bin/systemctl restart syslog-ng - The script is idempotent — running it twice on the same host will not duplicate the forwarding rule
- No credentials are stored or written to disk
Built during SOC operations at a managed security services provider to automate SIEM onboarding across client Linux infrastructure. Deployed across 30+ servers spanning multiple distributions and package managers.
snwan - Sopuru Nwanna