The Geek Diary

Rsyslog : How to Send log files to remote server in CentOS/RHEL 6,7

by

Need of a Centralized Rsyslog Server

Every *NIX system has some sort of logging facility that will produce text logs that can be written into an arbitrary location on a storage device (normally, defaulting to a local disk partition). Now, this is essential but can also produce issues like:

  • You need to have adequate storage space on the local server to save the logs.
  • You need to put in place rotation to stop them from growing too large.
  • If the logs contain sensitive information such as credit card number, you want them to store in a secure location, preferably not on the local server.
  • You may lose the logs if there is a disaster on the server and data is not recoverable.

To avoid all such problems we can use a centralized syslog server. The centralized syslog server provides the security, adequate storage, centralized backup facility etc.

The post outlines the steps to configure Rsyslog to send log files to a remote server using TCP as well as UDP.

Configuring Centralized Rsyslog Server

1. Edit /etc/rsyslog.conf and uncomment the following lines:

For TCP;

# vi /etc/rsyslog.conf
$ModLoad imtcp
$InputTCPServerRun 514

For UDP;

# vi /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
Note: You can use both the TCP and UDP mode to transfer logs to remote rsyslog server. But I would recommend using UDP as it is a lot easy on client server in terms of performance. The only downside of using UDP is that some log messages might be lost if the server is too busy to receive the UDP packets. Use TCP where your logs are critical; otherwise, stick with UDP.

2. Save the file and restart rsyslog service.

# service rsyslog restart          ### CentOS/RHEL 6
# systemctl restart rsyslog        ### CentOS/RHEL 7

Configuring Rsyslog Client

1. Edit /etc/rsyslog.conf on the client server and add below lines. When you prepend your remote host with a single @ symbol, you are using UDP. To use TCP, use @@ instead.

For UDP

# vi /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host:514
*.* @x.x.x.x:514

For TCP

# vi /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.* @@x.x.x.x:514

Here, replace x.x.x.x with your centralized rsyslog server. If you do not want to send logs with all severities included (*.*), you can edit the last line with something like:

*.info      @x.x.x.x:514

2. Save the file and restart the rsyslog service.

# service rsyslog restart        ### CentOS/RHEL 6
# systemctl restart rsyslog        ### CentOS/RHEL 7

Verifying the Configuration

You can use the “logger” command to generate a log message manually and see if the remote syslog server receives it correctly.

On the client server:

# logger "Test message from the system `hostname`"

On the Centralized rsyslog server:

# tail /var/log/messages  
June 15 12:32:01 geeklab root: Test message from the system geeklab

Running Rsyslog on non-standard port

If you want to run rsyslog on a port other that the default port 514, you will have to perform additional selinux changes. To view the current SELinux ports settings for rsyslog:

# semanage port -l| grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      514, 601, 20514

To add a UDP port 541 to SELinux, use the command:

# semanage port -a -t syslogd_port_t -p udp 541

Verify if the port is added into the SELinux settings:

# semanage port -l| grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      541, 514, 601, 20514

You May Also Like