Author Photo

Ahmer's SysAdmin Recipes is a blog for Linux System Administrators. This blog provides recipes for Installation & Configuration of Linux, Ubuntu, Oracle Database, MySQL, Apache, Nginx, Oracle Cloud Control, FreeIPA, Kerberos & OpenLDAP, Subversion, PXE, DevOps, etc. over Red Hat Enterprise Linux (RHEL), CentOS, Ubuntu and Windows.

Please give me your feedback and help me improve this blog. Please let me know If you want me to write on a specific topic.

Sunday, 12 August 2018

Configure Centralized rsyslog Server in CentOS 7

configure-a-central-logging-server-in-linuxrsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

In this article, we will configure a central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

 

Environment Specification:

We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

  rsyslog Server rsyslog Client
Hostname: rsyslog-server.example.com rsyslog-client.example.com
IP Address: 192.168.113.10/24 192.168.113.11/24
Operating System: CentOS 7.6 CentOS 7.6

 

Configuring rsyslog Server on CentOS 7:

rsyslog is by default installed on most of the Linux distros including CentOS 7.

Connect to rsyslog-server.example.com and check status of rsyslog.service.

[root@rsyslog-server ~]# systemctl status rsyslog.service rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago Main PID: 759 (rsyslogd) CGroup: /system.slice/rsyslog.service ââ759 /usr/sbin/rsyslogd -n Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv... Hint: Some lines were ellipsized, use -l to show in full.

rsyslog is already installed on our CentOS 7 server, and its service is already started.

Now we are configuring rsyslog settings to accept input from other machines.

[root@rsyslog-server ~]# vi /etc/rsyslog.conf

Find and uncomment following two directives.

$ModLoad imtcp $InputTCPServerRun 514

Save settings and restart the rsyslog.service.

[root@rsyslog-server ~]# systemctl restart rsyslog.service

Allow rsyslog service port in Linux firewall.

[root@rsyslog-server ~]# firewall-cmd --permanent --add-port=514/tcp success [root@rsyslog-server ~]# firewall-cmd --reload success

Our rsyslog server has been configured to received input from other log sources via port 514/tcp

 

Configuring rsyslog Client on CentOS 7:

.Connect to rsyslog-client.example.com and check status of rsyslog.service.

[root@rsyslog-client ~]# systemctl status rsyslog.service rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left Main PID: 742 (rsyslogd) CGroup: /system.slice/rsyslog.service ââ742 /usr/sbin/rsyslogd -n Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full.

rsyslog service is already installed and running on our CentOS 7 based client machine.

Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

[root@rsyslog-client ~]# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

Restart the rsyslog.service to apply changes.

[root@rsyslog-client ~]# systemctl restart rsyslog.service

Now connect to our rsyslog server and check /var/log/messages

[root@rsyslog-server ~]# tail /var/log/messages Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket. Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM.... Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM.. Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server. Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server. Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service... Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service. Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16. [root@rsyslog-server ~]#

We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

We have successfully configure a central login server using rsyslog on CentOS 7.

Configure Centralized rsyslog Server in CentOS 7


YOU MIGHT ALSO LIKE:

2 comments: