rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.
In this article, we will configure a central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.
Table of Contents:
- Environment Specification
- Configuring rsyslog Server on CentOS 7
- Configuring rsyslog Client on CentOS 7
Environment Specification:
We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.
rsyslog Server | rsyslog Client | |
Hostname: | rsyslog-server.example.com | rsyslog-client.example.com |
IP Address: | 192.168.113.10/24 | 192.168.113.11/24 |
Operating System: | CentOS 7.6 | CentOS 7.6 |
Configuring rsyslog Server on CentOS 7:
rsyslog is by default installed on most of the Linux distros including CentOS 7.
Connect to rsyslog-server.example.com and check status of rsyslog.service.
# systemctl status rsyslog.service
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago
Main PID: 759 (rsyslogd)
CGroup: /system.slice/rsyslog.service
ââ759 /usr/sbin/rsyslogd -n
Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.
rsyslog is already installed on our CentOS 7 server, and its service is already started.
Now we are configuring rsyslog settings to accept input from other machines.
# vi /etc/rsyslog.conf
Find and uncomment following two directives.
$ModLoad imtcp
$InputTCPServerRun 514
Save settings and restart the rsyslog.service.
# systemctl restart rsyslog.service
Allow rsyslog service port in Linux firewall.
# firewall-cmd --permanent --add-port=514/tcp success # firewall-cmd --reload success
Our rsyslog server has been configured to received input from other log sources via port 514/tcp
Configuring rsyslog Client on CentOS 7:
.Connect to rsyslog-client.example.com and check status of rsyslog.service.
# systemctl status rsyslog.service
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left
Main PID: 742 (rsyslogd)
CGroup: /system.slice/rsyslog.service
ââ742 /usr/sbin/rsyslogd -n
Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.
rsyslog service is already installed and running on our CentOS 7 based client machine.
Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf
# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf
Restart the rsyslog.service to apply changes.
# systemctl restart rsyslog.service
Now connect to our rsyslog server and check /var/log/messages
# tail /var/log/messages Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket. Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM.... Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM.. Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server. Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server. Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service. Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16.
We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.
We have successfully configure a central login server using rsyslog on CentOS 7.
Thanks for sharing.
ReplyDeleteYou are Welcome.
DeleteThanks,, very clear
ReplyDelete