How to Set up a Central Logging Server using Rsyslog on CentOS

If you are a system administrator who happens to be managing numerous amount of servers for your organization, then having a centralized logging server can make your life easier. In this article, we are going to learn how to configure a logging server for all your systems using Rsyslog.

Rather than manually connecting to several different machines Rsyslog can help you save a lot of time.

What is Rsyslog?

Rsyslog is a powerful log processing application that manages log messages with high performance and robust security. It is an open-source utility that can collect and process log messages from different sources like network devices, programs, and applications.

One of the most powerful features of Rsyslog is that it can be easily configured to a central logging server which can receive logs from multiple different sources.

Most Linux environment already comes with Rsyslog in preinstalled on the system. If not then check out the following documentation of Rsyslog on how to install it on your machine:

Step 1

We are going to edit the rsyslog.conf file. I like to use Vim but you can use any other text editor you like.

So type in the following command:

$ sudo vi /etc/ryslog.conf

Step 2

You should be inside your rsyslog.conf file now. Inside the file you should see a script similar to the output below:

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

Then look for the section “# Provides TCP syslog reception

This is the main configuration file for Rsyslog that through which you can control the flow of log messages from one service to another.

Step 3

Underneath the TCP syslog reception section, you will see the following statements:

#module(load="imudp")
#input(type="imudp" port="514")

Uncomment both of these lines. So, it should look like this:

module(load="imudp")
input(type="imudp" port="514")

What’s happening over here is that the first line will load a TCP module and the next one will tell our syslog to run a server on port 514.

Step 4

Save and exit the file.

Step 5

Now we are going to restart our syslog server using the following command:

sudo systemctl restart syslog

Step 6

This step involves configuring the firewall to allow data into our server. As a result, we have to tell our firewall to allow traffic through the port that rsyslog is listening on.

To allow traffic through the listening port, type:

sudo firewall-cmd --permanent --add-port=514/tcp

If the command runs successfully, then you should see the following output:

Success

Step 7

And now restart the firewall, using the following command:

sudo firewall-cmd --reload

Before we proceed to the next step, you should know that the next part involves testing our logging server using a different machine. In this case that is going to be our client machine which will be sending out logs to the server we just set up.

Read:

Step 8

Hopefully, by this point, you have a client machine on the same network to send your logs to the logging server.

But before we can send logs to our logging server, we have to configure our client machine.

What we need to do here is to, modify our client’s etc/rsyslog.conf file. So I will type the following command again to open the rsyslog.conf on this machine:

sudo vi /etc/rsyslog.conf

Step 9

Scroll down until you see the section ‘begin forwarding rule‘.

We are not going to stress about any other directives in this section. Instead, we will just change the following line:

#*.*@@remote-host:514

Uncomment the line and replace the “remote-host” part with your logging server’s IP address (you can check the IP address of your logging server using the command ifconfig or ip a).

The line should look similar to this now:

*.*@@172.31.90.62:514

After that, save and exit the file.

Step 10

Remember we are configuring our client machine now. If you have any confusion then go through the previous steps again.

In this step, we are going to restart our Rsyslog service. Type the following command on your client machine to do that:

sudo systemctl restart rsyslog

Step 11

Test the logging server by sending some logs from the client machine.

Go back to your logging server and type:

sudo tail -f /var/log/messages

You will see that your client machine has already started to send logs to the logging server. Any changes that you will make on your client machine, will now forward the logs to the logging server.

Conclusion

Congratulation! You successfully configured this machine to receive logs from a different system.

Follow the same steps if you want to configure multiple different systems to send logs to your logging server.

I also want you to know that this article solely focuses on setting up the log server on CentOS. The procedures on other distributions may slightly vary. So, do keep that in mind.

Learn more about Rsyslog here from the official website:

Interested in learning more about Linux & Linux administration, then make sure to check out the following courses from LinkedIn Learning with 30-day FREE trial:

Click here to learn more about FREE 30-day trial with LinkedIn Learning.

What do you think about Rsyslog? Do you think it makes a sys admin’s life easier?

Leave a Reply