How To Setup Centralized SysLog Server On CentOS 8 / RHEL 8

0

ADVERTISEMENT

Setup Centralized SysLog Server On CentOS 8
Setup Centralized SysLog Server On CentOS 8

Today we will setup a centralized syslog server on CentOS 8 / RHEL 8 to let the Linux admin read multiple server logs in a single place.

Linux labels (auth, cron, FTP, LPR, authpriv, news, mail, syslog, etc..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc..).

You can find more information on Message Labels and Severity Levels

Environment

Two Linux servers ( server and client).

server.itzgeek.local 192.168.0.10

client.itzgeek.local 192.168.0.20

Server setup

Install the rsyslog package on the syslog server in case the package doesn’t already exist.

dnf install -y rsyslog

Edit the /etc/rsyslog.conf file.

vi /etc/rsyslog.conf

Protocol

Rsyslog supports both UDP and TCP protocol for receiving logs. It is up to you to decide which protocol you want to use.

Rsyslog suggests the use of TCP protocol for reliable log delivery.

UDP

Uncomment the following to enable the syslog server to listen on the UDP port.

FROM:

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
# module(load="imudp") # needs to be done just once
# input(type="imudp" port="514")

TO:

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

TCP

Uncomment the following to enable the syslog server to listen on the TCP port.

FROM:

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

TO:

ADVERTISEMENT

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

Restart the syslog service

systemctl restart rsyslog

Verify the syslog server listening on the port 514.

netstat -antup | grep 514

Output:

udp        0      0 0.0.0.0:514             0.0.0.0:*                           30918/rsyslogd      
udp6       0      0 :::514                  :::*                                30918/rsyslogd    

Client setup

Install the rsyslog package on the client in case the package doesn’t already exist.

dnf install -y rsyslog

Edit the /etc/rsyslog.conf file.

vi /etc/rsyslog.conf

At the end of the file, place the following line to forward the client’s log messages to the centralized syslog server.

UDP:

action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="udp")

TCP:

action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="tcp")
You can also use the hostname in Target.

Restart the syslog service

systemctl restart rsyslog

Now all the message logs are sent to the central server and also it keeps the copy locally.

Firewall

If the system has FirewallD, run the following command on the syslog server to accept incoming traffic on port 514.

UDP:

firewall-cmd --permanent --add-port=514/udp

 firewall-cmd --reload

TCP:

firewall-cmd --permanent --add-port=514/tcp

firewall-cmd --reload

Validate

Goto the syslog server and view the messages log file.

tail -f /var/log/messages

I have installed and started vsftpd on the client machine, you can see both are recorded in a syslog server.

ADVERTISEMENT

Jan 31 03:21:07 client systemd[1]: Stopping System Logging Service...
Jan 31 03:21:08 client rsyslogd[30944]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30944" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 31 03:21:08 client systemd[1]: Stopped System Logging Service.
Jan 31 03:21:08 client systemd[1]: Starting System Logging Service...
Jan 31 03:21:08 client rsyslogd[30952]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.37.0-13.el8 try http://www.rsyslog.com/e/2442 ]
Jan 31 03:21:08 client systemd[1]: Started System Logging Service.
Jan 31 03:21:08 client rsyslogd[30952]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30952" x-info="http://www.rsyslog.com"] start

Conclusion

That’s All. I hope you successfully set up a centralized syslog server on CentOS 8 / RHEL 8. You can also use open-source log management tools like ELK stack or Graylog for more advanced features such as web interface, correlating log events, etc.

You might also like