Need of a Centralized Rsyslog Server
Every *NIX system has some sort of logging facility that will produce text logs that can be written into an arbitrary location on a storage device (normally, defaulting to a local disk partition). Now, this is essential but can also produce issues like:
- You need to have adequate storage space on the local server to save the logs.
- You need to put in place rotation to stop them from growing too large.
- If the logs contain sensitive information such as credit card number, you want them to store in a secure location, preferably not on the local server.
- You may lose the logs if there is a disaster on the server and data is not recoverable.
To avoid all such problems we can use a centralized syslog server. The centralized syslog server provides the security, adequate storage, centralized backup facility etc.
The post outlines the steps to configure Rsyslog to send log files to a remote server using TCP as well as UDP.
Configuring Centralized Rsyslog Server
1. Edit /etc/rsyslog.conf and uncomment the following lines:
For TCP;
# vi /etc/rsyslog.conf $ModLoad imtcp $InputTCPServerRun 514
For UDP;
# vi /etc/rsyslog.conf $ModLoad imudp $UDPServerRun 514
2. Save the file and restart rsyslog service.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7
Configuring Rsyslog Client
1. Edit /etc/rsyslog.conf on the client server and add below lines. When you prepend your remote host with a single @ symbol, you are using UDP. To use TCP, use @@ instead.
For UDP
# vi /etc/rsyslog.conf # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @remote-host:514 *.* @x.x.x.x:514
For TCP
# vi /etc/rsyslog.conf # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 *.* @@x.x.x.x:514
Here, replace x.x.x.x with your centralized rsyslog server. If you do not want to send logs with all severities included (*.*), you can edit the last line with something like:
*.info @x.x.x.x:514
2. Save the file and restart the rsyslog service.
# service rsyslog restart ### CentOS/RHEL 6 # systemctl restart rsyslog ### CentOS/RHEL 7
Verifying the Configuration
You can use the “logger” command to generate a log message manually and see if the remote syslog server receives it correctly.
On the client server:
# logger "Test message from the system `hostname`"
On the Centralized rsyslog server:
# tail /var/log/messages June 15 12:32:01 geeklab root: Test message from the system geeklab
Running Rsyslog on non-standard port
If you want to run rsyslog on a port other that the default port 514, you will have to perform additional selinux changes. To view the current SELinux ports settings for rsyslog:
# semanage port -l| grep syslog syslog_tls_port_t tcp 6514, 10514 syslog_tls_port_t udp 6514, 10514 syslogd_port_t tcp 601, 20514 syslogd_port_t udp 514, 601, 20514
To add a UDP port 541 to SELinux, use the command:
# semanage port -a -t syslogd_port_t -p udp 541
Verify if the port is added into the SELinux settings:
# semanage port -l| grep syslog syslog_tls_port_t tcp 6514, 10514 syslog_tls_port_t udp 6514, 10514 syslogd_port_t tcp 601, 20514 syslogd_port_t udp 541, 514, 601, 20514