Introduction:
In today's blog post, we will guide you through the process of setting up a centralized log server using Rsyslog on CentOS 7 or RHEL 7. This setup allows you to manage log files from multiple client systems in one central location, eliminating the need to access each client system individually. This is particularly useful for networks with a large number of systems, as it provides a dedicated log server for streamlined log management.
Environment:
For this guide, we will be using two CentOS 7 servers: one as the Rsyslog server and the other as the client.
Rsyslog Server:
OS: CentOS 7
IP-Address 192.168.2.10
Hostname logservers
Client Server:
OS: CentOS 7
IP-Address 192.168.2.11
Hostname node01
Server configuration
1. Create different partition to store log files
[root@logservers ~]# df -h /var/log/client_logs/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg01-lv01 2.0G 33M 2.0G 2% /var/log/client_logs
[root@log-servers01 ~]#
2. Backup the rsyslog file configuration
[root@logserver ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
3. Open the rsyslog file configuration
[root@logserver ~]# vi /etc/rsyslog.conf
[...]
$ModLoad imtcp ### This is for TCP
$InputTCPServerRun 514
[...]
Environment:
For this guide, we will be using two CentOS 7 servers: one as the Rsyslog server and the other as the client.
Rsyslog Server:
OS: CentOS 7
IP-Address 192.168.2.10
Hostname logservers
Client Server:
OS: CentOS 7
IP-Address 192.168.2.11
Hostname node01
Server configuration
1. Create different partition to store log files
[root@logservers ~]# df -h /var/log/client_logs/
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/vg01-lv01 2.0G 33M 2.0G 2% /var/log/client_logs
[root@log-servers01 ~]#
2. Backup the rsyslog file configuration
[root@logserver ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
3. Open the rsyslog file configuration
[root@logserver ~]# vi /etc/rsyslog.conf
[...]
$ModLoad imtcp ### This is for TCP
$InputTCPServerRun 514
[...]
Add the following lines to create a template to storing the logs forwarded by the clients
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
Save and close the file.
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
Save and close the file.
4. Create the Rsyslog Client directory “client_logs”
[root@logserver ~]# mkdir /var/log/client_logs
5. Allow Rsyslog default port 514 on your firewall. The following commands will open this port via firewalld.
[root@logserver ~]# firewall-cmd --permanent --add-port=514/tcp
6. Restart firewalld service to take effect the changes.
[root@logserver ~]# firewall-cmd --reload
7. Finally reload the Rsyslog Service using the following command
[root@logserver ~]# systemctl restart rsyslog
Client configuration
1. Backup the rsyslog file configuration
[root@node01 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
2. Open the rsyslog file configuration
[root@node01 ~]# vi /etc/rsyslog.conf
– Under ##RULES## directive section, add the following line:
[...]
##RULES##
*.* @@192.168.2.10:514 ## This is for TCP
[...]
3. Finally reload the Rsyslog Service using the following command
[root@node01 ~]# systemctl restart rsyslog
- Restart any service to ensure that logs are sent to centralized servers or using log command you can generate logs
[root@node01 /]# logger "This test message"
Validation
- Login to logserver and check for directory and logs
[root@logservers ~]# ls -lrt /var/log/client_logs/
total 4
drwx------ 2 root root 4096 Jul 26 23:55 centOS01
drwx------ 2 root root 141 Jul 27 00:02 node01
[root@logservers ~]#
[root@logservers ~]# tail /var/log/client_logs/node01/systemd.log
2020-07-26T23:57:33-04:00 node01 systemd: Created slice User Slice of root.
2020-07-26T23:57:33-04:00 node01 systemd: Started Session 3 of user root.
2020-07-26T23:57:38-04:00 node01 systemd: Stopping OpenSSH server daemon...
Conclusion:
[root@logserver ~]# mkdir /var/log/client_logs
5. Allow Rsyslog default port 514 on your firewall. The following commands will open this port via firewalld.
[root@logserver ~]# firewall-cmd --permanent --add-port=514/tcp
6. Restart firewalld service to take effect the changes.
[root@logserver ~]# firewall-cmd --reload
7. Finally reload the Rsyslog Service using the following command
[root@logserver ~]# systemctl restart rsyslog
Client configuration
1. Backup the rsyslog file configuration
[root@node01 ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.orig
2. Open the rsyslog file configuration
[root@node01 ~]# vi /etc/rsyslog.conf
– Under ##RULES## directive section, add the following line:
[...]
##RULES##
*.* @@192.168.2.10:514 ## This is for TCP
[...]
3. Finally reload the Rsyslog Service using the following command
[root@node01 ~]# systemctl restart rsyslog
- Restart any service to ensure that logs are sent to centralized servers or using log command you can generate logs
[root@node01 /]# logger "This test message"
Validation
- Login to logserver and check for directory and logs
[root@logservers ~]# ls -lrt /var/log/client_logs/
total 4
drwx------ 2 root root 4096 Jul 26 23:55 centOS01
drwx------ 2 root root 141 Jul 27 00:02 node01
[root@logservers ~]#
2020-07-26T23:57:33-04:00 node01 systemd: Created slice User Slice of root.
2020-07-26T23:57:33-04:00 node01 systemd: Started Session 3 of user root.
2020-07-26T23:57:38-04:00 node01 systemd: Stopping OpenSSH server daemon...
We hope this tutorial has been helpful in guiding you through the setup of a centralized log server using Rsyslog on CentOS 7. If you need further information or have any questions, please feel free to comment below, and we will be glad to assist you! e hope this tutorial was enough Helpful. If you need more information, or have any questions, just comment below and we will be glad to assist you!
No comments:
Post a Comment