Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Linux Tutorials»How to Setup Centralized Logging Server using Rsyslog

    How to Setup Centralized Logging Server using Rsyslog

    By RahulDecember 27, 20133 Mins Read

    Rsyslog is logging server used in Linux systems. Its an enhanced version of Syslog. Rsyslog also support databases ( MySQL, PostgreSQL ) to store logs. It is default logging server used from CentOS/RHEL 6 release. Rsyslog is an enhanced version os syslog service in Linux. This article is for configuring Centralized Logging Server in our hosting environment.

    Advertisement

    centralized-logging-system

    This article will help you to install Rsyslog service on CentOS/RHEL 5 and configure Rsyslog to send all logs to a central server. Our main aim is that all of our log files should be at on location from where we can easily backup them or use any parser to parse them at one place. We don’t need to setup backup on each server individually.

    Step 1: Install Rsyslog Service

    Rsyslog is default installed on RHEL based systems from RHEL 6 release. Install Rsyslog service at central logging system as well as client systems. Use following commands to install Rsyslog service in earlier version of RHEL/CentOS systems.

    # yum install rsyslog
    

    After installing start rsyslog service and make sure syslog is stopped on server.

    # service syslog stop
    # chkconfig syslog off
    
    # service rsyslog start
    # chkconfig rsyslog on
    

    Step 2: Configure Rsyslog on Central Logging Server

    Now we need to configure Rsyslog on central logging server to receive logs from remote clients and store them at different locations.

    Step 2.1 : Allow SELinux

    If you have SELinux enabled on your system, Use following command to enable rsyslog traffic on port 514.

    # semanage -a -t syslogd_port_t -p udp 514
    
    Step 2.2: Setup Log File Location

    Now edit Rsyslog configuration file and configure the location’s to generate log files in system.

    # vim /etc/rsyslog.conf
    

    and add following lines as the end of file.

     $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
    
     authpriv.*   ?TmplAuth
     *.info,mail.none,authpriv.none,cron.none   ?TmplMsg
    

    rsyslog-server-setting

    Step 2.3: Enable Module and UDP Protocol

    Also remove comment from following lines ( remove starting # ) in rsyslog configuration file to enable UDP.

     $ModLoad imudp
     $UDPServerRun 514
    
    Step 2.4: Open Access in Firewall

    If you are using iptables to protect your system, then you need to add following rule to open port

    # iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
    
    Step 2.5: Restart Rsyslog

    After making above changes in Rsyslog central server, restart service using following command.

    # service rsyslog restart
    

    Step 3: Configure Rsyslog on Client Nodes

    After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file

     # vim /etc/rsyslog.conf
    

    add below line, change hostname or ip with your central Rsyslog systems ip/hostname.

    *.*   @192.168.1.254:514
    [or]
    *.*   @logserver.example.com:514
    

    rsyslog-client-node-setting

    and restart rsyslog service using following command.

    # service rsyslog restart
    

    And your centralized logging server setup has been completed successfully.

    central logging system rsyslog rsyslogd
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    An Introduction to the “./configure” Command: Compiling Source Code in Linux

    Getting Started with Linux Command line: The Beginning

    Backing Up Your Linux System with Rsync: A Step-by-Step Guide

    View 9 Comments

    9 Comments

    1. Mr Pac on October 3, 2019 4:41 am

      hello. can you tell me how to send apache access log to ryslog server

      Reply
    2. asker on August 27, 2018 7:35 am

      this is good..
      but somehow you are not explaining why are we doing this and this. and that
      example:

      $template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”

      authpriv.* ?TmplAuth
      *.info,mail.none,authpriv.none,cron.none ?TmplMsg

      what this is doing in the configuration file?? why it ? is it mandatory or optional? please enlight us not saying copy and paste this

      Reply
    3. Sumanta on February 6, 2018 5:28 pm

      hi,
      can you post ” how to integrate linux machine to windows active directory for login”

      Reply
    4. Michael Cooper on June 27, 2016 1:01 pm

      Hello Everyone,

      I just discovered this and I love it. I am wondering why my clients are not sending their logs to the central log server. I have it setup exactly as you said to in the howto. Any ideas?

      Thanks,

      Reply
    5. pravesh on March 19, 2016 8:18 pm

      We have 3 RHEL server and on each server we are running tomcat server. We are planning to keep all tomcat logs on one server using rsyslogs. But we are not receiving the logs rsyslog server. is there any way so we can get the logs.

      Reply
    6. kazuya on June 4, 2015 9:41 am

      There is a spell mistake in your document

      service syslog stop
      chkconfig syslog off

      It has to be

      service rsyslog stop
      chkconfig rsyslog off

      Reply
    7. Naidu-A on April 2, 2014 8:40 am

      I want to send only certain logs from /var/log/messages on client server to central rsys log server. So can I define any conditions to send only message like “UserAllowed” from client server to central rsys log server?.
      Is there any parameter like “grep” I can define in configuration file?
      Thanks!

      Reply
    8. justin on March 18, 2014 10:33 pm

      I have most of this working. Thanks for the start.

      I added a few files in the /etc/rsyslog.d folder to get apache working.

      My problem is that the clients all write messages(specified in the rsyslog.d folder) to the /var/log/messages of itself. I want them to only push to remote site and still put standard messages on it’s own host, not the rsyslog.d files too.

      Reply
    9. vian on January 4, 2014 10:14 am

      hello,,

      i’ve been following ur tutorial for this log analyzer in http://tecadmin.net/setup-loganalyzer-with-rsyslog-and-mysql/ and all going smoothly except when i login into admin account, i found error “No syslog records found”.. is that normal ?

      i’ve been thinking mybe it is cz i submit no record yet.. and i trying to following this next tutorial.

      and for this one, this is the question i;ve struggling.
      1. i can;t run “semanage -a -t syslogd_port_t -p udp 514”, it says invalid argument. What should i do ?
      2. @step 2.2, u give us guide about,

      $template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”

      authpriv.* ?TmplAuth
      *.info,mail.none,authpriv.none,cron.none ?TmplMsg

      but isn;t that the data will be store in mysql database ? what this command for if u could kindly explain to me :p

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • How to Split Large Archives in Linux using the Command Line
    • System.out.println() Method in Java: A Beginner’s Guide
    • Split Command in Linux With Examples (Split Large Files)
    • Test Your Internet Speed from the Linux Terminal
    • 11 Practical Example of cat Command in Linux
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.