How to Setup Centralized Logging Server using Rsyslog
Abstract: and restart rsyslog service using following command. # service rsyslog restartlets configure clients system to send there logs to central Rsyslog serv
Rsyslog is logging server used in Linux systems. Its an enhanced version of Syslog. Rsyslog also support databases ( MySQL, PostgreSQL ) to store logs. It is default logging server used from CentOS/RHEL 6 release. Rsyslog is an enhanced version os syslog service in Linux. This article is for configuring Centralized Logging Server in our hosting environment.
This article will help you to install Rsyslog service on CentOS/RHEL 5 and configure Rsyslog to send all logs to a central server. Our main aim is that all of our log files should be at on location from where we can easily backup them or use any parser to parse them at one place. We don’t need to setup backup on each server individually.
Step 1: Install Rsyslog ServiceRsyslog is default installed on RHEL based systems from RHEL 6 release. Install Rsyslog service at central logging system as well as client systems. Use following commands to install Rsyslog service in earlier version of RHEL/CentOS systems.
# yum install rsyslog
After installing start rsyslog service and make sure syslog is stopped on server.
# service syslog stop # chkconfig syslog off # service rsyslog start # chkconfig rsyslog onStep 2: Configure Rsyslog on Central Logging Server
Now we need to configure Rsyslog on central logging server to receive logs from remote clients and store them at different locations.
Step 2.1 : Allow SELinuxIf you have SELinux enabled on your system, Use following command to enable rsyslog traffic on port 514.
# semanage -a -t syslogd_port_t -p udp 514Step 2.2: Setup Log File Location
Now edit Rsyslog configuration file and configure the location’s to generate log files in system.
# vim /etc/rsyslog.conf
and add following lines as the end of file.
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplMsgStep 2.3: Enable Module and UDP Protocol
Also remove comment from following lines ( remove starting # ) in rsyslog configuration file to enable UDP.
$ModLoad imudp $UDPServerRun 514Step 2.4: Open Access in Firewall
If you are using iptables to protect your system, then you need to add following rule to open port
# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPTStep 2.5: Restart Rsyslog
After making above changes in Rsyslog central server, restart service using following command.
# service rsyslog restartStep 3: Configure Rsyslog on Client Nodes
After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file
# vim /etc/rsyslog.conf
add below line, change hostname or ip with your central Rsyslog systems ip/hostname.
*.* @192.168.1.254:514 [or] *.* @logserver.example.com:514
and restart rsyslog service using following command.
# service rsyslog restart
And your centralized logging server setup has been completed successfully.