Remote system logging with rsyslog on CentOS 7

remote-rsyslogd-centos-7-header

Imagine you are the head sysadmin of an organization, that hold many servers. Managing the log files of each server can be quite challenging, if you are supposed to do it by logging in to each server and manually checking each log file for important events. Fortunately, rsyslog happens to have a functionality, where rsyslog can serve as a client and a servers. With this information in hand, we can now setup one centralized rsyslog server and all of our other servers can act as clients and send their logs to our centralized rsyslog server. The goals of this tutorial is to show you how to set up a rsyslog client and server and test if the configuration is working.

  • Topology

    • central.server-log.local: Role - Centralized logging server where all of our logs will be stored. IP Address - 10.10.100.1
    • client1.log-server.local: Role: Our test client server which we will be logging on central.server-log.local IP Address - 10.10.100.2
  • Centralized logging server configuration

First thing we need to do is to install rsyslog if it is not already installed:

yum -y install rsyslog
service rsyslog start

Verify that it is installed:

rsyslogd -v

rsyslog-centos-7

Enable it to start after reboot:

systemctl enable rsyslog

Allow remote connections on your firewall:

firewall-cmd --permanent --add-port=514/tcp

Open /etc/rsyslog.conf with your favorite text editor and uncomment the following lines:

#$ModLoad imtcp
#$InputTCPServerRun 514

so that they look like this:

$ModLoad imtcp
$InputTCPServerRun 514

This is necessary, otherwise rsyslog will not listen to port 514 via tcp. The default behavior is to listen only on UDP. We also need the imudp module.

In the same configuration file, find the following line:

*.info;mail.none;authpriv.none;cron.none                /var/log/messages

Insert this line above that line of configuration:

if $fromhost-ip startswith '10.10.100.2' then /var/log/client1.log-server.com/messages

This is important, since it tells our centralized rsyslog server to forward all incoming logs from 10.10.100.2(our client server) to /var/log/client1.log-server.com/messages.

We need to create the directory, where the logs will be stored as well as the log:

mkdir -p /var/log/client1.log-server.com
touch /var/log/client1.log-server.com/messages

Do not forget to restart rsyslogd to apply the changes:

service rsyslog restart
  • Client logging server configuration

Again, begin with installation of rsyslog and enabling the service during boot:

yum -y install rsyslog
systemctl enable rsyslog

Open rsyslogd's configuration file /etc/rsyslog.conf and add the following line:

*.*              @10.10.100.1:514

This will send all of our logs to our central loging server at 10.10.100.1.

Restart rsyslog:

service rsyslog restart

Add the rsyslogd port to the system:

firewall-cmd --permanent --add-port=514/tcp

And test the configuration by issuing the following command on the client:

logger this is a test

If everything is done correctly, you should see the following message in /var/log/client1.log-server.com/messages on the central server:

Apr 1 10:38:09 client root: this is a test

  • Logging only certain applications

If we do not want to log all system logs to our centralized server and just some services, we can also do that. We need to edit our configuration file on the client and instead of using this configuration line:

*.*              @10.10.100.1:514

use this:

cron.*              @10.10.100.1:514

In this example, we will send all of our cron logs to our remote centralized logging server.

Comments