How To Setup SysLog Server on CentOS 7 / RHEL 7
Abstract: # Provides TCP syslog receptionfirewall-cmd --reload Validate Goto the syslog server and view the messages log file. tail -f /var/log/messages You sho
Today we will be looking into how to set up centralized log management for the Linux server. This will help the Linux admin to have multiple server logs in a single place. The Linux admin not required to login to each server for checking the logs, he can just log in to the centralized server and start to do the monitoring of the log.
Linux labels (auth, cron, FTP, LPR, authpriv, news, mail, syslog, etc,..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc,..).
You can find more information on Message Labels and Severity Levels
Make sure you have the following to set up a log server.
Two Linux servers ( server and client).
server.itzgeek.local 192.168.0.10
client.itzgeek.local 192.168.0.20
Syslog Server SetupInstall the Rsyslog package, if you do not have it installed.
yum -y install rsyslog
Edit the /etc/rsyslog.conf
file.
vi /etc/rsyslog.confTCP or UDP
Rsyslog supports both UDP and TCP protocol for receiving logs. TCP protocol provides reliable transmission of logs.
UDPUncomment the following to enable the syslog server to listen on the UDP protocol.
FROM:
# Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514
TO:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514TCP
Uncomment the following to enable the syslog server to listen on the TCP protocol.
FROM:
# Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
TO:
# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Restart the syslog service
systemctl restart rsyslog
Verify the syslog server listening on the port 514.
netstat -antup | grep 514
Output:
udp 0 0 0.0.0.0:514 0.0.0.0:* 1467/rsyslogd udp6 0 0 :::514 :::* 1467/rsyslogdSyslog Client Setup
Install the Rsyslog package, if you do not have it installed.
yum -y install rsyslog
Edit the /etc/rsyslog.conf
file.
vi /etc/rsyslog.conf
At the end of the file place the following line to point the client message log to the server.
UDP*.info;mail.none;authpriv.none;cron.none @192.168.0.10:514TCP
*.info;mail.none;authpriv.none;cron.none @@192.168.0.10:514
You can use either the hostname or the ip address.
Restart the syslog service
systemctl restart rsyslog
Now all the message logs are sent to the central server and also it keeps the copy locally.
FirewallMostly all the production environments are protected by a hardware firewall, ask them to open the TCP & UDP 514.
If you have FirewallD enabled, run the following command on a server in order to accept incoming traffic on UDP / TCP port 514.
TCPfirewall-cmd --permanent --add-port=514/tcp firewall-cmd --reloadUDP
firewall-cmd --permanent --add-port=514/udp firewall-cmd --reloadValidate
Goto the syslog server and view the messages log file.
tail -f /var/log/messages
You should see the client’s logs are being recorded in a syslog server.
Feb 9 04:26:09 client systemd: Stopping System Logging Service... Feb 9 04:26:09 client rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="910" x-info="http://www.rsyslog.com"] exiting on signal 15. Feb 9 04:26:09 client systemd: Stopped System Logging Service. Feb 9 04:26:09 client systemd: Starting System Logging Service... Feb 9 04:26:09 client rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="1546" x-info="http://www.rsyslog.com"] start Feb 9 04:26:09 client systemd: Started System Logging Service.
In this way, you can monitor the other logs such as secure, mail, cron logs, etc.
ConclusionThat’s All. I hope you successfully set up a centralized syslog server on CentOS 7 / RHEL 7. You can also try open-source log management tools like ELK stack or Graylog for more advanced features such as web interface, correlating log events, etc.