• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Rsyslog : How to Send log files to remote server in CentOS/RHEL 6,7

by admin

Need of a Centralized Rsyslog Server

Every *NIX system has some sort of logging facility that will produce text logs that can be written into an arbitrary location on a storage device (normally, defaulting to a local disk partition). Now, this is essential but can also produce issues like:

  • You need to have adequate storage space on the local server to save the logs.
  • You need to put in place rotation to stop them from growing too large.
  • If the logs contain sensitive information such as credit card number, you want them to store in a secure location, preferably not on the local server.
  • You may lose the logs if there is a disaster on the server and data is not recoverable.

To avoid all such problems we can use a centralized syslog server. The centralized syslog server provides the security, adequate storage, centralized backup facility etc.

The post outlines the steps to configure Rsyslog to send log files to a remote server using TCP as well as UDP.

Configuring Centralized Rsyslog Server

1. Edit /etc/rsyslog.conf and uncomment the following lines:

For TCP;

# vi /etc/rsyslog.conf
$ModLoad imtcp
$InputTCPServerRun 514

For UDP;

# vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
Note: You can use both the TCP and UDP mode to transfer logs to remote rsyslog server. But I would recommend using UDP as it is a lot easy on client server in terms of performance. The only downside of using UDP is that some log messages might be lost if the server is too busy to receive the UDP packets. Use TCP where your logs are critical; otherwise, stick with UDP.

2. Save the file and restart rsyslog service.

# service rsyslog restart          ### CentOS/RHEL 6
# systemctl restart rsyslog        ### CentOS/RHEL 7

Configuring Rsyslog Client

1. Edit /etc/rsyslog.conf on the client server and add below lines. When you prepend your remote host with a single @ symbol, you are using UDP. To use TCP, use @@ instead.

For UDP

# vi /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host:514
*.* @x.x.x.x:514

For TCP

# vi /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.* @@x.x.x.x:514

Here, replace x.x.x.x with your centralized rsyslog server. If you do not want to send logs with all severities included (*.*), you can edit the last line with something like:

*.info      @x.x.x.x:514

2. Save the file and restart the rsyslog service.

# service rsyslog restart        ### CentOS/RHEL 6
# systemctl restart rsyslog        ### CentOS/RHEL 7

Verifying the Configuration

You can use the “logger” command to generate a log message manually and see if the remote syslog server receives it correctly.

On the client server:

# logger "Test message from the system `hostname`"

On the Centralized rsyslog server:

# tail /var/log/messages  
June 15 12:32:01 geeklab root: Test message from the system geeklab

Running Rsyslog on non-standard port

If you want to run rsyslog on a port other that the default port 514, you will have to perform additional selinux changes. To view the current SELinux ports settings for rsyslog:

# semanage port -l| grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      514, 601, 20514

To add a UDP port 541 to SELinux, use the command:

# semanage port -a -t syslogd_port_t -p udp 541

Verify if the port is added into the SELinux settings:

# semanage port -l| grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      541, 514, 601, 20514

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : How to boot into emergency or multi-user mode from GRUB2
  2. ego Command Examples in Funtoo Linux
  3. How to use shell aliases in Linux
  4. pwd Command Examples in Linux
  5. CentOS / RHEL 6 : How do I find my current runlevel?
  6. CentOS / RHEL : How to delete LUKS encrypted device
  7. How to Disable or set SELinux to Permissive mode
  8. Apache HTTP server – most commonly used containers (special configuration directives)
  9. CentOS / RHEL : Resize (reduce) non-root EXT3/4 filesystem on non-LVM device (hard disk partition)
  10. blastn Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • aws ec2: CLI for AWS EC2 (Command Examples)
  • aws cur – Create, query, and delete AWS usage report definitions (Command Examples)
  • aws configure – Manage configuration for the AWS CLI (Command Examples)
  • aws cognito-idp: Manage Amazon Cognito user pool and its users and groups using the CLI

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright