Setup Centralized Rsyslog Server On CentOS 7

Setup Centralized Rsyslog Server On CentOS 7

This tutorial describes how to setup centralized Rsyslog server on CentOS 7 to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.

For the purpose of this guide, I will be using two systems, one acts as rsyslog server, and other acts as client. The following are the details of my test boxes.
Rsyslog Server:
  • OS: CentOS 7 minimal edition
  • IP address: 192.168.43.150/24
  • Hostname: logserver.ostechnix.local
Client system:
  • OS: CentOS 7 minimal edition
  • IP Address: 192.168.43.151
First, let us setup Ryslog server.

Setup Centralized Rsyslog Server On CentOS 7

This guide was tested with CentOS 7 minimal server edition. However, it should work on all RPM based distributions like RHEL, Fedora, Scientific Linux.
All commands given below should run as root user.
Install rsyslog package if it is not installed already.
yum install rsyslog
Then, edit rsyslog config file:
vi /etc/rsyslog.conf
Find and uncomment the following to make your server to listen on the udp and tcp ports.
[...]
$ModLoad imudp
$UDPServerRun 514

[...]
$ModLoad imtcp
$InputTCPServerRun 514
[...]
Save and close the file.
Allow Rsyslog default port 514 on your firewall/router. The following commands will open this port via firewalld.
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --add-port=514/tcp
Restart firewalld service to take effect the changes.
firewall-cmd --reload
Finally, enable and start rsyslog service:
systemctl enable rsyslog
systemctl start rsyslog
Check if the resyslog service is running or not with command:
systemctl status rsyslog
If you see an output something lik below, congrats! Rsyslog server is up and working!
● rsyslog.service - System Logging Service
 Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2017-03-23 16:30:11 IST; 17min ago
 Main PID: 2490 (rsyslogd)
 CGroup: /system.slice/rsyslog.service
 └─2490 /usr/sbin/rsyslogd -n

Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Starting System Logging...
Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Started System Logging ...
Hint: Some lines were ellipsized, use -l to show in full
You can check log details of the server itself using command:
tail -10 /var/log/messages
This command will display the last ten lines of your log messages.

Client configuration

Install rsyslog using command:
yum install rsyslog
Then, edit rsyslog config file:
vi /etc/rsyslog.conf
Under ##RULES## directive section, add the following line:
*.* @192.168.43.150:514
Or, just place this line at the end. This will log everything and send the log files to your Rsyslog server. You can also log particular items. Say for example, to log only cron stuffs, add the following line:
cron.* @192.168.43.150:514
To log all the mail messages, add:
mail.* @192.168.43.150:514
I want to log everything, so I added the following line.
*.* @192.168.43.150:514
You can also mention the FQDN of your Rsyslog server instead of IP address.
Save and close the rsyslog config file.
Finally, enable and start rsyslog service:
systemctl enable rsyslog
systemctl start rsyslog
Similarly, you can configure as many as clients you want. to monitor the logs.

Testing log messages

Run anything on your client system.
I am going to run this:
logger -i -t ostechnix "This is our first log test."
Now, go to the Rsyslog server machine and check if this log is found.
tail -f /var/log/messages
Now, you will the logs of your client systems from the server.
Mar 23 17:30:29 client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2953" x-info="http://www.rsyslog.com"] start
Mar 23 17:30:29 client systemd: Stopping System Logging Service...
Mar 23 17:30:29 client systemd: Starting System Logging Service...
Mar 23 17:30:29 client systemd: Started System Logging Service.
Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2520" x-info="http://www.rsyslog.com"] exiting on signal 15.
Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2542" x-info="http://www.rsyslog.com"] start
Mar 23 17:30:34 logserver systemd: Stopping System Logging Service...
Mar 23 17:30:34 logserver systemd: Starting System Logging Service...
Mar 23 17:30:34 logserver systemd: Started System Logging Service.
Mar 23 17:31:35 client ostechnix[2959]: This is our first log test.
And. that’s all. Rsyslog server and client configuration is done. As you can see in this guide, setting up a basic Rsyslog server is very easy.

Comments

Post a Comment

Popular posts from this blog

How to Set Up IP and Port-Based Virtual Hosting (Vhosts) With Apache Web Server on CentOS 7

Image
How to Set Up IP and Port-Based Virtual Hosting (Vhosts) With Apache Web Server on CentOS 7 Table of Contents Introduction Requirements Set up multiple IP addresses on a single network interface Set up multiple instances of Apache Create the directory structure Create test web pages for each virtual host Set up ownership and permissions Create virtual host files Allow Apache through the firewall Test the virtual hosts Introduction Virtual hosting is a method for hosting multiple websites on a single machine. There are two types of virtual hosting:  Name-based virtual hosting  and  IP-based virtual hosting . IP-based virtual hosting is a technique to apply different directives based on the IP address and port a request is received on. You can assign a separate IP for each website on a single server using IP-based virtual hosting. This is mainly used to host different websites on different ports or IP addresses. In this article we will be creating: ...
Read more

Configure a Postfix Relay through Gmail on CentOS 7

Configure a Postfix Relay through Gmail on CentOS 7 Table of Contents Introduction Requirements Install Packages Configure Postfix Configure Postfix SASL Credentials Test the Relay Troubleshoot Delivery Issues Introduction Postfix is a flexible mail server that is available on most Linux distribution. Though a full feature mail server, Postfix can also be used as a simple relay host to another mail server, or smart host. This tutorial will describe how to configure Postfix as a relay through Gmail. Simple Authentication and Security Layer (SASL) is a standard authentication framework supported by many services including Postfix. Requirements CentOS 7 or Red Hat Enterprise Linux 7 Valid Gmail or Google App credentials Install Packages Make sure Postfix, the SASL authentication framework, and  mailx  are all installed. yum -y install postfix cyrus-sasl-plain mailx Postfix will need to be restarted before the SASL framework will be detected. sys...
Read more

Gateway to Gateway - Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan

Image
Intro to Configure IPsec VPN (Gateway-to-Gateway ) using Strongswan Strongswan supports Gateway-to-Gateway (site-to-site) and Road warrior  types of VPN. In first type, network traffic is encrypted/decrypted on the gateway (entrance/exit) of an organization. However in Road warrior case, traffic encrypted from the end client (machine) to remote end gateway. In this article, we will explain creation of  tunnel between two sites of an organization to secure the communication. Strongswan based VPN server/gateway placement is shown in the following figure. We want to secure communication between 10.1.0.0/16 and 11.1.0.0/16 networks of organization. As shown in the above figure, we are interested to secure the communication from A to B and vice versa. It is important to make sure the routing of Strongswan based VPN Gateways in the organization network. We assume that machine from  office A can ping a machine in the network of B office . This will ensure th...
Read more