Rsyslog is logging server used in Linux systems. Its an enhanced version of Syslog. Rsyslog also support databases ( MySQL, PostgreSQL ) to store logs. It is default logging server used from CentOS/RHEL 6 release. Rsyslog is an enhanced version os syslog service in Linux. This article is for configuring Centralized Logging Server in our hosting environment.
This article will help you to install Rsyslog service on CentOS/RHEL 5 and configure Rsyslog to send all logs to a central server. Our main aim is that all of our log files should be at on location from where we can easily backup them or use any parser to parse them at one place. We don’t need to setup backup on each server individually.
Step 1: Install Rsyslog Service
Rsyslog is default installed on RHEL based systems from RHEL 6 release. Install Rsyslog service at central logging system as well as client systems. Use following commands to install Rsyslog service in earlier version of RHEL/CentOS systems.
# yum install rsyslog
After installing start rsyslog service and make sure syslog is stopped on server.
# service syslog stop # chkconfig syslog off # service rsyslog start # chkconfig rsyslog on
Step 2: Configure Rsyslog on Central Logging Server
Now we need to configure Rsyslog on central logging server to receive logs from remote clients and store them at different locations.
Step 2.1 : Allow SELinux
If you have SELinux enabled on your system, Use following command to enable rsyslog traffic on port 514.
# semanage -a -t syslogd_port_t -p udp 514
Step 2.2: Setup Log File Location
Now edit Rsyslog configuration file and configure the location’s to generate log files in system.
# vim /etc/rsyslog.conf
and add following lines as the end of file.
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplMsg
Step 2.3: Enable Module and UDP Protocol
Also remove comment from following lines ( remove starting # ) in rsyslog configuration file to enable UDP.
$ModLoad imudp $UDPServerRun 514
Step 2.4: Open Access in Firewall
If you are using iptables to protect your system, then you need to add following rule to open port
# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Step 2.5: Restart Rsyslog
After making above changes in Rsyslog central server, restart service using following command.
# service rsyslog restart
Step 3: Configure Rsyslog on Client Nodes
After configuring Rsyslog centralized server, lets configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file
# vim /etc/rsyslog.conf
add below line, change hostname or ip with your central Rsyslog systems ip/hostname.
*.* @192.168.1.254:514 [or] *.* @logserver.example.com:514
and restart rsyslog service using following command.
# service rsyslog restart
And your centralized logging server setup has been completed successfully.
9 Comments
hello. can you tell me how to send apache access log to ryslog server
this is good..
but somehow you are not explaining why are we doing this and this. and that
example:
$template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
what this is doing in the configuration file?? why it ? is it mandatory or optional? please enlight us not saying copy and paste this
hi,
can you post ” how to integrate linux machine to windows active directory for login”
Hello Everyone,
I just discovered this and I love it. I am wondering why my clients are not sending their logs to the central log server. I have it setup exactly as you said to in the howto. Any ideas?
Thanks,
We have 3 RHEL server and on each server we are running tomcat server. We are planning to keep all tomcat logs on one server using rsyslogs. But we are not receiving the logs rsyslog server. is there any way so we can get the logs.
There is a spell mistake in your document
service syslog stop
chkconfig syslog off
It has to be
service rsyslog stop
chkconfig rsyslog off
I want to send only certain logs from /var/log/messages on client server to central rsys log server. So can I define any conditions to send only message like “UserAllowed” from client server to central rsys log server?.
Is there any parameter like “grep” I can define in configuration file?
Thanks!
I have most of this working. Thanks for the start.
I added a few files in the /etc/rsyslog.d folder to get apache working.
My problem is that the clients all write messages(specified in the rsyslog.d folder) to the /var/log/messages of itself. I want them to only push to remote site and still put standard messages on it’s own host, not the rsyslog.d files too.
hello,,
i’ve been following ur tutorial for this log analyzer in http://tecadmin.net/setup-loganalyzer-with-rsyslog-and-mysql/ and all going smoothly except when i login into admin account, i found error “No syslog records found”.. is that normal ?
i’ve been thinking mybe it is cz i submit no record yet.. and i trying to following this next tutorial.
and for this one, this is the question i;ve struggling.
1. i can;t run “semanage -a -t syslogd_port_t -p udp 514”, it says invalid argument. What should i do ?
2. @step 2.2, u give us guide about,
$template TmplAuth, “/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
but isn;t that the data will be store in mysql database ? what this command for if u could kindly explain to me :p