rsyslog server installation and configuration in RHEL 7 and Centos 7
rsyslog server
rsyslog server is used to collaborate all server logs to centralized place. System administrator no need to login each and every device to collect logs, just install and configure rsyslog server and watch all server logs using single command. Linux labels (auth, cron, ftp, lpr, authpriv, news, mail, syslog, etc ,..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc ,..).
What is syslog
In computing, syslog is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.
Required Hardware and Software
rsyslog server should have at-least 4GB of RAM. 2CPU cores. 1Giga byte Network card. Installed with RHEL 7 (Redhat Enterprise Linux 7, 7.1, 7.2 OR Centos 7).
Server Profile
Packages: rsyslog*
Service / Daemon Name: rsyslog.service
Port number: 514
Config File: /etc/rsyslog.conf
In this article we are using Server IP: 192.168.4.20 Client IP: 192.168.4.21 for demonstrate
Server side configuration
[root@server ~]# hostname
server.arkit.co.in
Installing rsyslog packages
[root@server yum.repos.d]# yum install rsyslog*
Installed:
rsyslog-gnutls.x86_64 0:7.4.7-7.el7_0 rsyslog-gssapi.x86_64 0:7.4.7-7.el7_0 rsyslog-mysql.x86_64 0:7.4.7-7.el7_0
rsyslog-pgsql.x86_64 0:7.4.7-7.el7_0 rsyslog-relp.x86_64 0:7.4.7-7.el7_0
Dependency Installed:
librelp.x86_64 0:1.2.0-3.el7 postgresql-libs.x86_64 0:9.2.7-1.el7
Complete!
Enable and start the services
We have to enable the service first because whenever you restart the rsyslog server it should automatically start after the reboot. If you did not enable the service it will not start we have to start service manually.
[root@server ~]# systemctl enable rsyslog.service
[root@server ~]# systemctl start rsyslog.service
[root@server ~]# systemctl status rsyslog.service
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
Active: active (running) since Sat 2016-04-23 15:07:12 IST; 41min ago
Main PID: 984 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─984 /usr/sbin/rsyslogd -n
Apr 23 15:07:12 server.arkit.co.in systemd[1]: Started System Logging Service.
Apr 23 15:48:35 server.arkit.co.in systemd[1]: Started System Logging Service.
Edit config file
Before enabling the config
[root@server ~]# vi /etc/rsyslog.conf
# rsyslog configuration file
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
After the Change
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
:wq! (Save & Exit)
Restart the service to effect the change
[root@server ~]# systemctl restart rsyslog.service
Allow firewall ports from server
Default port number for syslog is 514
[root@server ~]# firewall-cmd --permanent --add-port=514/tcp
success
[root@server ~]# firewall-cmd --permanent --add-port=514/udp
success
[root@server ~]# firewall-cmd --reload
success
Verify Service is listening
[root@server ~]# netstat -antup | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4300/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 4300/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 4300/rsyslogd
udp6 0 0 :::514 :::* 4300/rsyslogd
Client Side
ping to server and verify server is reachable from client
[root@desktop ~]# hostname
desktop.arkit.co.in
[root@desktop ~]# ping 192.168.4.20
PING 192.168.4.20 (192.168.4.20) 56(84) bytes of data.
64 bytes from 192.168.4.20: icmp_seq=1 ttl=64 time=0.481 ms
64 bytes from 192.168.4.20: icmp_seq=2 ttl=64 time=0.385 ms
^C
--- 192.168.4.20 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.385/0.433/0.481/0.048 ms
Edit the config file
[root@desktop ~]# vi /etc/rsyslog.conf
*.* @@192.168.4.20:514
:wq! (Save & Exit)
As shown above we have to point the client to send logs. . means all the logs. if would like to specify only particular logs then do not specify . in client config.
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
Restart the service
[root@desktop ~]# systemctl restart rsyslog.service
[root@desktop ~]# systemctl status rsyslog.service
rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
Active: active (running) since Sat 2016-04-23 16:08:34 IST; 15s ago
Main PID: 4336 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─4336 /usr/sbin/rsyslogd -n
Test logs
open log file in server and switch the users in client machine
[root@server log]# tail -f /var/log/secure
Apr 23 16:16:02 desktop su: pam_unix(su-l:session): session closed for user atkit
Apr 23 16:16:34 desktop su: pam_unix(su-l:session): session opened for user atkit by root(uid=0)
Apr 23 16:16:40 desktop su: pam_unix(su-l:session): session closed for user atkit
No comments:
Post a Comment