Setup Centralized Rsyslog Server On CentOS 7

Setup Centralized Rsyslog Server On CentOS 7

This tutorial describes how to setup centralized Rsyslog server on CentOS 7 to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.

For the purpose of this guide, I will be using two systems, one acts as rsyslog server, and other acts as client. The following are the details of my test boxes.

Rsyslog Server:

  • OS: CentOS 7 minimal edition
  • IP address: 192.168.43.150/24
  • Hostname: logserver.ostechnix.local

Client system:

  • OS: CentOS 7 minimal edition
  • IP Address: 192.168.43.151

First, let us setup Ryslog server.

Setup Centralized Rsyslog Server On CentOS 7

This guide was tested with CentOS 7 minimal server edition. However, it should work on all RPM based distributions like RHEL, Fedora, Scientific Linux.

All commands given below should run as root user.

Install rsyslog package if it is not installed already.

yum install rsyslog

Then, edit rsyslog config file:

vi /etc/rsyslog.conf

Find and uncomment the following to make your server to listen on the udp and tcp ports.

[...]
$ModLoad imudp
$UDPServerRun 514

[...]
$ModLoad imtcp
$InputTCPServerRun 514
[...]

Save and close the file.

Allow Rsyslog default port 514 on your firewall/router. The following commands will open this port via firewalld.

firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --add-port=514/tcp

Restart firewalld service to take effect the changes.

firewall-cmd --reload

Finally, enable and start rsyslog service:

systemctl enable rsyslog
systemctl start rsyslog

Check if the resyslog service is running or not with command:

systemctl status rsyslog

If you see an output something lik below, congrats! Rsyslog server is up and working!

● rsyslog.service - System Logging Service
 Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2017-03-23 16:30:11 IST; 17min ago
 Main PID: 2490 (rsyslogd)
 CGroup: /system.slice/rsyslog.service
 └─2490 /usr/sbin/rsyslogd -n

Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Starting System Logging...
Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Started System Logging ...
Hint: Some lines were ellipsized, use -l to show in full

You can check log details of the server itself using command:

tail -10 /var/log/messages

This command will display the last ten lines of your log messages.

Client configuration

Install rsyslog using command:

yum install rsyslog

Then, edit rsyslog config file:

vi /etc/rsyslog.conf

Under ##RULES## directive section, add the following line:

*.* @192.168.43.150:514

Or, just place this line at the end. This will log everything and send the log files to your Rsyslog server. You can also log particular items. Say for example, to log only cron stuffs, add the following line:

cron.* @192.168.43.150:514

To log all the mail messages, add:

mail.* @192.168.43.150:514

I want to log everything, so I added the following line.

*.* @192.168.43.150:514

You can also mention the FQDN of your Rsyslog server instead of IP address.

Save and close the rsyslog config file.

Finally, enable and start rsyslog service:

systemctl enable rsyslog
systemctl start rsyslog

Similarly, you can configure as many as clients you want. to monitor the logs.

Testing log messages

Run anything on your client system.

I am going to run this:

logger -i -t ostechnix "This is our first log test."

Now, go to the Rsyslog server machine and check if this log is found.

tail -f /var/log/messages

Now, you will the logs of your client systems from the server.

Mar 23 17:30:29 client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2953" x-info="http://www.rsyslog.com"] start
Mar 23 17:30:29 client systemd: Stopping System Logging Service...
Mar 23 17:30:29 client systemd: Starting System Logging Service...
Mar 23 17:30:29 client systemd: Started System Logging Service.
Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2520" x-info="http://www.rsyslog.com"] exiting on signal 15.
Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2542" x-info="http://www.rsyslog.com"] start
Mar 23 17:30:34 logserver systemd: Stopping System Logging Service...
Mar 23 17:30:34 logserver systemd: Starting System Logging Service...
Mar 23 17:30:34 logserver systemd: Started System Logging Service.
Mar 23 17:31:35 client ostechnix[2959]: This is our first log test.

And. that’s all. Rsyslog server and client configuration is done. As you can see in this guide, setting up a basic Rsyslog server is very easy. Though it is very basic log server setup, it just worked out of the box for me. I will be posting more Rsyslog guides in the days to come. Stay tuned and subscribe to our website for more guides like this.

Cheers!

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...