Configure Centralized rsyslog Server in CentOS 7 - CentLinux

Latest

Sunday, 12 August 2018

Configure Centralized rsyslog Server in CentOS 7

configure-a-central-logging-server-in-linux

rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

In this article, we will configure a central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

 

This Article Provides:

     

    Environment Specification:

    We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

      rsyslog Server rsyslog Client
    Hostname: rsyslog-server.example.com rsyslog-client.example.com
    IP Address: 192.168.113.10/24 192.168.113.11/24
    Operating System: CentOS 7.6 CentOS 7.6

     

    Configuring rsyslog Server on CentOS 7:

    rsyslog is by default installed on most of the Linux distros including CentOS 7.

    Connect to rsyslog-server.example.com and check status of rsyslog.service.

    [root@rsyslog-server ~]# systemctl status rsyslog.service rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago Main PID: 759 (rsyslogd) CGroup: /system.slice/rsyslog.service ââ759 /usr/sbin/rsyslogd -n Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv... Hint: Some lines were ellipsized, use -l to show in full.

    rsyslog is already installed on our CentOS 7 server, and its service is already started.

    Now we are configuring rsyslog settings to accept input from other machines.

    [root@rsyslog-server ~]# vi /etc/rsyslog.conf

    Find and uncomment following two directives.

    $ModLoad imtcp $InputTCPServerRun 514

    Save settings and restart the rsyslog.service.

    [root@rsyslog-server ~]# systemctl restart rsyslog.service

    Allow rsyslog service port in Linux firewall.

    [root@rsyslog-server ~]# firewall-cmd --permanent --add-port=514/tcp success [root@rsyslog-server ~]# firewall-cmd --reload success

    Our rsyslog server has been configured to received input from other log sources via port 514/tcp

     

    Configuring rsyslog Client on CentOS 7:

    .Connect to rsyslog-client.example.com and check status of rsyslog.service.

    [root@rsyslog-client ~]# systemctl status rsyslog.service rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left Main PID: 742 (rsyslogd) CGroup: /system.slice/rsyslog.service ââ742 /usr/sbin/rsyslogd -n Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full.

    rsyslog service is already installed and running on our CentOS 7 based client machine.

    Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

    [root@rsyslog-client ~]# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

    Restart the rsyslog.service to apply changes.

    [root@rsyslog-client ~]# systemctl restart rsyslog.service

    Now connect to our rsyslog server and check /var/log/messages

    [root@rsyslog-server ~]# tail /var/log/messages Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket. Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM.... Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM.. Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server. Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server. Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service. Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16. [root@rsyslog-server ~]#

    We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

    We have successfully configure a central login server using rsyslog on CentOS 7.

    2 comments: