How to Configure Central Syslog Server in RHEL/CentOS 7

rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

In this article, we will configure a central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

 

Table of Contents:

• Environment Specification
• Configuring rsyslog Server on CentOS 7
• Configuring rsyslog Client on CentOS 7

Environment Specification:

We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

 

Configuring rsyslog Server on CentOS 7:

rsyslog is by default installed on most of the Linux distros including CentOS 7.

Connect to rsyslog-server.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago
 Main PID: 759 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ759 /usr/sbin/rsyslogd -n

Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog is already installed on our CentOS 7 server, and its service is already started.

Now we are configuring rsyslog settings to accept input from other machines.

# vi /etc/rsyslog.conf

Find and uncomment following two directives.

$ModLoad imtcp
$InputTCPServerRun 514

Save settings and restart the rsyslog.service.

# systemctl restart rsyslog.service

Allow rsyslog service port in Linux firewall.

# firewall-cmd --permanent --add-port=514/tcp
success
# firewall-cmd --reload
success

Our rsyslog server has been configured to received input from other log sources via port 514/tcp

 

Configuring rsyslog Client on CentOS 7:

.Connect to rsyslog-client.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left
 Main PID: 742 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ742 /usr/sbin/rsyslogd -n

Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog service is already installed and running on our CentOS 7 based client machine.

Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

Restart the rsyslog.service to apply changes.

# systemctl restart rsyslog.service

Now connect to our rsyslog server and check /var/log/messages

# tail /var/log/messages
Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket.
Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM....
Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM..
Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server.
Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server.
Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start
Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service.
Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16.

We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

We have successfully configure a central login server using rsyslog on CentOS 7.