How to Setup Centralized Logging Server using Rsyslog

Rsyslog is logging server used in Linux systems. Its an enhanced version of Syslog. Rsyslog also support databases ( MySQL, PostgreSQL ) to store logs. It is default logging server used from CentOS/RHEL 6 release. Rsyslog is an enhanced version os syslog service in Linux. This article is for configuring Centralized Logging Server in our hosting environment.

This article will help you to install Rsyslog service on CentOS/RHEL 5 and configure Rsyslog to send all logs to a central server. Our main aim is that all of our log files should be at on location from where we can easily backup them or use any parser to parse them at one place. We don’t need to setup backup on each server individually.

Step 1: Install Rsyslog Service

Rsyslog is default installed on RHEL based systems from RHEL 6 release. Install Rsyslog service at central logging system as well as client systems. Use following commands to install Rsyslog service in earlier version of RHEL/CentOS systems.

# yum install rsyslog

After installing start rsyslog service and make sure syslog is stopped on server.

# service syslog stop
# chkconfig syslog off

# service rsyslog start
# chkconfig rsyslog on

Step 2: Configure Rsyslog on Central Logging Server

Now we need to configure Rsyslog on central logging server to receive logs from remote clients and store them at different locations.

Step 2.1 : Allow SELinux

If you have SELinux enabled on your system, Use following command to enable rsyslog traffic on port 514.

# semanage -a -t syslogd_port_t -p udp 514

Step 2.2: Setup Log File Location

Now edit Rsyslog configuration file and configure the location’s to generate log files in system.

# vim /etc/rsyslog.conf

and add following lines as the end of file.

 $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

 authpriv.*   ?TmplAuth
 *.info,mail.none,authpriv.none,cron.none   ?TmplMsg

Step 2.3: Enable Module and UDP Protocol

Also remove comment from following lines ( remove starting # ) in rsyslog configuration file to enable UDP.

 $ModLoad imudp
 $UDPServerRun 514

Step 2.4: Open Access in Firewall

If you are using iptables to protect your system, then you need to add following rule to open port

# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

Step 2.5: Restart Rsyslog

After making above changes in Rsyslog central server, restart service using following command.

# service rsyslog restart

Step 3: Configure Rsyslog on Client Nodes

After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file

 # vim /etc/rsyslog.conf

add below line, change hostname or ip with your central Rsyslog systems ip/hostname.

*.*   @192.168.1.254:514
[or]
*.*   @logserver.example.com:514

and restart rsyslog service using following command.

# service rsyslog restart

And your centralized logging server setup has been completed successfully.