27 December 2013

How to Setup Centralized Logging Server using Rsyslog

Written by Rahul K. | December 27, 2013

Rsyslog is logging server used in Linux systems. Its an enhanced version of Syslog. Rsyslog also support databases ( MySQL, PostgreSQL ) to store logs. It is default logging server used from CentOS/RHEL 6 release. Rsyslog is an enhanced version os syslog service in Linux. This article is for configuring Centralized Logging Server in our hosting environment.

This article will help you to install Rsyslog service on CentOS/RHEL 5 and configure Rsyslog to send all logs to a central server. Our main aim is that all of our log files should be at on location from where we can easily backup them or use any parser to parse them at one place. We don’t need to setup backup on each server individually.

Step 1: Install Rsyslog Service

Rsyslog is default installed on RHEL based systems from RHEL 6 release. Install Rsyslog service at central logging system as well as client systems. Use following commands to install Rsyslog service in earlier version of RHEL/CentOS systems.

# yum install rsyslog

After installing start rsyslog service and make sure syslog is stopped on server.

# service syslog stop
# chkconfig syslog off

# service rsyslog start
# chkconfig rsyslog on

Step 2: Configure Rsyslog on Central Logging Server

Now we need to configure Rsyslog on central logging server to receive logs from remote clients and store them at different locations.

Step 2.1 : Allow SELinux

If you have SELinux enabled on your system, Use following command to enable rsyslog traffic on port 514.

# semanage -a -t syslogd_port_t -p udp 514

Step 2.2: Setup Log File Location

Now edit Rsyslog configuration file and configure the location’s to generate log files in system.

# vim /etc/rsyslog.conf

and add following lines as the end of file.

 $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

 authpriv.*   ?TmplAuth
 *.info,mail.none,authpriv.none,cron.none   ?TmplMsg

Step 2.3: Enable Module and UDP Protocol

Also remove comment from following lines ( remove starting # ) in rsyslog configuration file to enable UDP.

 $ModLoad imudp
 $UDPServerRun 514

Step 2.4: Open Access in Firewall

If you are using iptables to protect your system, then you need to add following rule to open port

# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

Step 2.5: Restart Rsyslog

After making above changes in Rsyslog central server, restart service using following command.

# service rsyslog restart

Step 3: Configure Rsyslog on Client Nodes

After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file

 # vim /etc/rsyslog.conf

add below line, change hostname or ip with your central Rsyslog systems ip/hostname.

*.*   @192.168.1.254:514
[or]
*.*   @logserver.example.com:514

and restart rsyslog service using following command.

# service rsyslog restart

And your centralized logging server setup has been completed successfully.

Rahul K.

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

7 Comments

Sumanta Reply to Sumanta
February 6, 2018 at 5:28 pm
hi,
can you post ” how to integrate linux machine to windows active directory for login”
Michael Cooper Reply to Michael
June 27, 2016 at 1:01 pm
Hello Everyone,
I just discovered this and I love it. I am wondering why my clients are not sending their logs to the central log server. I have it setup exactly as you said to in the howto. Any ideas?
Thanks,
pravesh Reply to pravesh
March 19, 2016 at 8:18 pm
We have 3 RHEL server and on each server we are running tomcat server. We are planning to keep all tomcat logs on one server using rsyslogs. But we are not receiving the logs rsyslog server. is there any way so we can get the logs.
kazuya Reply to kazuya
June 4, 2015 at 9:41 am
There is a spell mistake in your document
service syslog stop
chkconfig syslog off
It has to be
service rsyslog stop
chkconfig rsyslog off
Naidu-A Reply to Naidu-A
April 2, 2014 at 8:40 am
I want to send only certain logs from /var/log/messages on client server to central rsys log server. So can I define any conditions to send only message like “UserAllowed” from client server to central rsys log server?.
Is there any parameter like “grep” I can define in configuration file?
Thanks!
justin Reply to justin
March 18, 2014 at 10:33 pm
I have most of this working. Thanks for the start.
I added a few files in the /etc/rsyslog.d folder to get apache working.
My problem is that the clients all write messages(specified in the rsyslog.d folder) to the /var/log/messages of itself. I want them to only push to remote site and still put standard messages on it’s own host, not the rsyslog.d files too.
vian Reply to vian
January 4, 2014 at 10:14 am
hello,,
i’ve been following ur tutorial for this log analyzer in http://tecadmin.net/setup-loganalyzer-with-rsyslog-and-mysql/ and all going smoothly except when i login into admin account, i found error “No syslog records found”.. is that normal ?
i’ve been thinking mybe it is cz i submit no record yet.. and i trying to following this next tutorial.
and for this one, this is the question i;ve struggling.
1. i can;t run “semanage -a -t syslogd_port_t -p udp 514”, it says invalid argument. What should i do ?
2. @step 2.2, u give us guide about,
$template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
but isn;t that the data will be store in mysql database ? what this command for if u could kindly explain to me :p