Today, we are going to explain how to setup a Centralized Log Server using Rsyslog on CentOS 7/ RHEL7 to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.
Environment:
For the purpose of this guide, we will use 2 Centos 7 servers, one acts as rsyslog server, and other acts as client.
Rsyslog Server:
OS: CentOS 7
IP address: 192.168.1.200
Hostname: logserver.yallalabs.com
Client Server:
OS: CentOS 7
IP Address: 192.168.1.201
Hostname: server01.yallalabs.com
Server configuration
– Backup the rsyslog file configuration
[root@logserver ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
– Open the rsyslog file configuration
[root@logserver ~]# vi /etc/rsyslog.conf
– Find and uncomment the following lines to make your server to listen on the udp and tcp ports.
[...] $ModLoad imudp $UDPServerRun 514 [...] $ModLoad imtcp $InputTCPServerRun 514 [...]
– Add the following lines to create a template to storing the logs forwarded by the clients
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log" $template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info;mail.none;authpriv.none;cron.none ?TmplMsg
– Save and close the file.
– Create the Rsyslog Client directory “client_logs”
[root@logserver ~]# mkdir /var/log/client_logs
Allow Rsyslog default port 514 on your firewall. The following commands will open this port via firewalld.
[root@logserver ~]# firewall-cmd --permanent --add-port=514/udp [root@logserver ~]# firewall-cmd --permanent --add-port=514/tcp
– Restart firewalld service to take effect the changes.
[root@logserver ~]# firewall-cmd --reload
– Finally reload the Rsyslog Service using the following command
[root@logserver ~]# systemctl restart rsyslog
Client configuration
– Backup the rsyslog file configuration
[root@server01 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
– Open the rsyslog file configuration
[root@server01 ~]# vi /etc/rsyslog.conf
– Under ##RULES## directive section, add the following line:
[...] ##RULES## *.* @192.168.1.200:514 [...]
– Finally reload the Rsyslog Service using the following command
[root@server01 ~]# systemctl restart rsyslog
We hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
3 comments
Hi. Thank you for your article.
Hi followed your instructions and it worked like a charm.
Please can you tell me what is the meanning of the following lines in your tuto :
authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
Thanks in advance
Hi AMEPA,
You are welcome anytime, if you like our tutorials please share them with friends and subscribe tou our youtube channel,
– We have created two log template TmplAuth and TmplMsg with a custom facilities and priorities :
– The facility is one of the following keywords: auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, security (same as auth), syslog, user, uucp and local0 through local7.
– The priority is one of the following keywords, in ascending order: debug,info, notice, warning, warn (same as warning), err, error (same as err) crit, alert, emerg, panic (same as emerg). The keywords error, warn and panic are deprecated and should not be used anymore. The priority defines the severity of the message.
*.* means log everything
authpriv.* means to log every authpriv facilities.
*.info;mail.none;authpriv.none;cron.none means to log every facility with priority levels info and higher and not log mail, authpriv, crontab facilities .
You can create a custom template with what facilities you want to log on your system.
Thanks for the post, it’s a great way to set up a log management system on Linux. But it doesn’t scale really well, and it’s not even enabled to collect logs from multiple platforms, like, Windows, Linux, Android, etc. Now I know it wasn’t the point of this article,but in case someone here is looking for a centralized high-performance log management system, I can advise to check out NXLog ( https://nxlog.co/products/nxlog-community-edition ), which is free and open source and does all the above, so it has all the features one may be looking for in a log management tool.