This tutorial describes how to setup centralized Rsyslog server on CentOS 7 to manage the logs of your client systems from a common place. You don't have to visit the client systems when you want to check the log files of your client systems. This can be useful if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.
For the purpose of this guide, I will be using two systems, one acts as rsyslog server, and other acts as client. The following are the details of my test boxes.
Rsyslog Server:
- OS: CentOS 7 minimal edition
- IP address: 192.168.43.150/24
- Hostname: logserver.ostechnix.local
Client system:
- OS: CentOS 7 minimal edition
- IP Address: 192.168.43.151
First, let us setup Ryslog server.
Table of Contents
Setup Centralized Rsyslog Server On CentOS 7
This guide is tested with CentOS 7 minimal server edition. However, it should work on all RPM based distributions like RHEL, Fedora, Scientific Linux.
All commands given below should be run as root
user.
Install rsyslog package if it is not installed already.
# yum install rsyslog
Then, edit rsyslog config file:
# vi /etc/rsyslog.conf
Find and uncomment the following to make your server to listen on the udp
and tcp
ports.
[...] $ModLoad imudp $UDPServerRun 514 [...] $ModLoad imtcp $InputTCPServerRun 514 [...]
Hit ESC key and type :wq
to save and close the file.
Allow Rsyslog default port 514 on your firewall/router. The following commands will open this port via firewalld
.
# firewall-cmd --permanent --add-port=514/udp
# firewall-cmd --permanent --add-port=514/tcp
Restart firewalld service to take effect the changes.
# firewall-cmd --reload
Finally, enable and start rsyslog service:
# systemctl enable rsyslog
# systemctl start rsyslog
Check if the resyslog service is running or not with command:
# systemctl status rsyslog
If you see an output something like below, congrats! Rsyslog server is up and working!
● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2017-03-23 16:30:11 IST; 17min ago Main PID: 2490 (rsyslogd) CGroup: /system.slice/rsyslog.service └─2490 /usr/sbin/rsyslogd -n Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Starting System Logging... Mar 23 16:30:11 logserver.ostechnix.local systemd[1]: Started System Logging ... Hint: Some lines were ellipsized, use -l to show in full
You can check log details of the server itself using command:
# tail -10 /var/log/messages
This command will display the last ten lines of your log messages.
Client configuration
Install rsyslog as root
user using command:
# yum install rsyslog
Then, edit rsyslog config file:
# vi /etc/rsyslog.conf
Under ##RULES## directive section, add the following line:
*.* @192.168.43.150:514
Or, just place this line at the end. This will log everything and send the log files to your Rsyslog server.
You can also log particular items. Say for example, to log only cron stuffs, add the following line:
cron.* @192.168.43.150:514
To log all the mail messages, add:
mail.* @192.168.43.150:514
I want to log everything, so I added the following line.
*.* @192.168.43.150:514
You can also mention the FQDN of your Rsyslog server instead of IP address.
Save and close the rsyslog config file.
Finally, enable and start rsyslog service:
# systemctl enable rsyslog
# systemctl start rsyslog
Similarly, you can configure as many as clients you want. to monitor the logs.
Testing log messages
Run anything on your client system.
I am going to manually add an entry to the system log file using logger command.
# logger -i -t ostechnix "This is our first log test."
Now, go to the Rsyslog server machine and check if this log is found.
# tail -l /var/log/messages
Now, you will the logs of your client systems from the server.
Mar 23 17:30:29 client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2953" x-info="http://www.rsyslog.com"] start Mar 23 17:30:29 client systemd: Stopping System Logging Service... Mar 23 17:30:29 client systemd: Starting System Logging Service... Mar 23 17:30:29 client systemd: Started System Logging Service. Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2520" x-info="http://www.rsyslog.com"] exiting on signal 15. Mar 23 17:30:34 logserver rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="2542" x-info="http://www.rsyslog.com"] start Mar 23 17:30:34 logserver systemd: Stopping System Logging Service... Mar 23 17:30:34 logserver systemd: Starting System Logging Service... Mar 23 17:30:34 logserver systemd: Started System Logging Service. Mar 23 17:31:35 client ostechnix[2959]: This is our first log test.
And. that's all. Rsyslog server and client configuration is done. As you can see in this guide, setting up a basic Rsyslog server is very easy. Though it is very basic log server setup, it just worked out of the box for me.
Suggested Read:
1 comment
Hey, great tutorial, if you ever need a free high-performance multi-platform log management system, check out NXLog here: https://nxlog.co/products/nxlog-community-edition – it’s open source and highly scalable.