Rsyslog is a logging feature in recent Linux distributions such as Centos 6/7 or Rhel 6/7.  By using this deamon it’s possible to send logs from one server to another server. I will show you how to do that in basic way.

I have two Centos 7 server and I will use rsyslog. In older version your logging deamon might be syslog. You can configure also syslog but I recommand to install rsyslog by using:

Then if you are using older version, you can stop syslog and run rsyslog. (It is not possible to execute both in sametime.)

I name the server which will collect logs as “localhost”.

The server which will send log files is “ftpserver”.

Let’s start.

1) Configuring /etc/rsyslog.conf in “localhost”.

Open /etc/rsyslog.conf file, find below lines and uncomment them.

You can also use UDP protocol instead of TCP. The logic is same but I will use tcp protocol.

Save and close it.

2) Configuring /etc/rsyslog.conf in “ftpserver”.

My server which will send log files has to allow tcp connection for rsyslog to remote server.

At the end of config file you will find a line “remote-host:514”. Below add “facility and severity “ rule, here it,s *.* which means everything. Then provide remote host’s ip adress with default port number 514. Double @ at the begining of ip adress point to a tcp connection. If you are using udp protocol you have to put one @ sign.

To learn more about rsyslog configuration you can refer to Redhat guide:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/s1-basic_configuration_of_rsyslog

Restart rsyslog in both servers.

TRY WHAT YOU DID

Now It’s time to test configuration. We will send a log message from ftpserver to localhost.

From recipient server (in this article it’s “localhost”), do tail –f /var/log/messages to see log messages on live.

Go to sender server’s terminal and type

On Remote server you will see message transmission.

IF IT DOES NOT WORK

If it does not work after you made configuration, problem could be Selinux policies and/or firewall on receiver side.

This above command should return 514 as default port if Selinux label is wrong or port number is invisible, you can add it proporly with following command:

# semanage port -a -t syslogd_port_t -p tcp 514

Before doing that try to set selinux to permissive mode,

# setenforce 0

By this way you can be sure that problem come from selinux.

The other issue can be realted with firewall settings.

Port 514 used by rsyslog service is not registered in firewall rules. That’s why firewall is blocking log messages.

To add port do:

Then restart firewalld

Now you server is able to receive logs from a distant server by allowing connexion from port 514 over tcp. You can test it.

Note that this configuration will write both client and server side in /var/log/messages.