Rsyslog is a logging feature in recent Linux distributions such as Centos 6/7 or Rhel 6/7. By using this deamon it’s possible to send logs from one server to another server. I will show you how to do that in basic way.
I have two Centos 7 server and I will use rsyslog. In older version your logging deamon might be syslog. You can configure also syslog but I recommand to install rsyslog by using:
|
1 |
Yum install rsyslog –y |
Then if you are using older version, you can stop syslog and run rsyslog. (It is not possible to execute both in sametime.)
I name the server which will collect logs as “localhost”.
The server which will send log files is “ftpserver”.
Let’s start.
1) Configuring /etc/rsyslog.conf in “localhost”.
Open /etc/rsyslog.conf file, find below lines and uncomment them.
You can also use UDP protocol instead of TCP. The logic is same but I will use tcp protocol.
Save and close it.
2) Configuring /etc/rsyslog.conf in “ftpserver”.
My server which will send log files has to allow tcp connection for rsyslog to remote server.
At the end of config file you will find a line “remote-host:514”. Below add “facility and severity “ rule, here it,s *.* which means everything. Then provide remote host’s ip adress with default port number 514. Double @ at the begining of ip adress point to a tcp connection. If you are using udp protocol you have to put one @ sign.
To learn more about rsyslog configuration you can refer to Redhat guide:
Restart rsyslog in both servers.
|
1 |
Systemctl restart rsyslog.service |
TRY WHAT YOU DID
Now It’s time to test configuration. We will send a log message from ftpserver to localhost.
From recipient server (in this article it’s “localhost”), do tail –f /var/log/messages to see log messages on live.
Go to sender server’s terminal and type
|
1 2 |
[root@ftpserver ~]# logger itecshweb "HELLO" [root@ftpserver ~]# |
On Remote server you will see message transmission.
|
1 2 3 4 5 |
[root@localhost ~]# tail -n 3 /var/log/messages Jan 18 21:32:17 ftpserver nm-dispatcher: req:1 'dhcp4-change' [eth1]: start running ordered scripts... Jan 18 21:33:35 ftpserver root: itecshweb HELLO Jan 18 21:34:33 ftpserver root: itecshweb HELLO [root@localhost ~]# |
IF IT DOES NOT WORK
If it does not work after you made configuration, problem could be Selinux policies and/or firewall on receiver side.
|
1 2 |
#semanage port -l| grep syslog #syslogd_port_t tcp (or udp) 514 |
This above command should return 514 as default port if Selinux label is wrong or port number is invisible, you can add it proporly with following command:
# semanage port -a -t syslogd_port_t -p tcp 514
Before doing that try to set selinux to permissive mode,
# setenforce 0
By this way you can be sure that problem come from selinux.
The other issue can be realted with firewall settings.
|
1 2 |
[root@localhost ~]# firewall-cmd --list-ports | grep -i 514 [root@localhost ~]# |
Port 514 used by rsyslog service is not registered in firewall rules. That’s why firewall is blocking log messages.
To add port do:
|
1 2 |
[root@localhost ~]# firewall-cmd --add-port=514/tcp --zone=public --permanent Success |
Then restart firewalld
|
1 2 3 4 |
[root@localhost ~]# systemctl restart firewalld.service [root@localhost ~]# firewall-cmd --list-ports | grep -i 514 514/tcp [root@localhost ~]# |
Now you server is able to receive logs from a distant server by allowing connexion from port 514 over tcp. You can test it.
Note that this configuration will write both client and server side in /var/log/messages.
[…] If you don’t know how to configure remote logging with rsyslog, refer to this article. […]