Scribd
Upload
287 views

Setup SysLog Server On CentOS 7

This document provides instructions for setting up a centralized syslog server on CentOS 7 or RHEL 7. The summary is: Install rsyslog on the server, edit its configuration to listen for syslog messages on ports 514 UDP and TCP. On clients, edit rsyslog.conf to forward all logs to the server IP or hostname. Restart rsyslog on both. The server now collects logs centrally while clients keep local copies. Firewall rules may need added to allow traffic to the syslog ports. Logs can then be monitored from the server.

Uploaded by

kamakom78
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
287 views

Setup SysLog Server On CentOS 7

This document provides instructions for setting up a centralized syslog server on CentOS 7 or RHEL 7. The summary is: Install rsyslog on the server, edit its configuration to listen for syslog messages on ports 514 UDP and TCP. On clients, edit rsyslog.conf to forward all logs to the server IP or hostname. Restart rsyslog on both. The server now collects logs centrally while clients keep local copies. Firewall rules may need added to allow traffic to the syslog ports. Logs can then be monitored from the server.

Uploaded by

kamakom78
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Setup SysLog Server on CentOS 7 / RHEL

7
RAJ OCTOBER 5, 2014 2 COMMENTS CENTOS 7, LOGS, RHEL 7, SYSLOG

Today we will be looking into how to setup a centralized log management for Linux servers,
this will help the Linux admin to have a multiple server logs into one single place. The Linux
admin not required to login in to each servers for checking the logs, he can just login into
the centralized server and start do the logs monitoring.
Linux labels (auth, cron, ftp, lpr, authpriv, news, mail, syslog, etc ,..) the log messages to
indicate the type of software that generated the messages with severity (Alert, critical,
Warning, Notice, info, etc ,..).
You can find more information on Message Labels and Severity Levels
Make sure you have the following to setup log server.
Two Linux servers ( server and client).
server.itzgeek.com 192.168.12.131
client.itzgeek.com 192.168.12.132

Server setup:
Install syslog package, if you do not have it installed.
[root@server ~]# yum -y install rsyslog

Edit /etc/rsyslog.conf
[root@server ~]# vi /etc/rsyslog.conf

Un comment the following to enable the syslog server to listen on the tcp and udp port.
From
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

To
# Provides UDP syslog reception

$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart the syslog service


[root@server ~]# systemctl restart rsyslog.service

Verify the syslog server listening.


[root@server ~]# netstat -antup | grep 514
tcp
0
0 0.0.0.0:514
0.0.0.0:*
759/rsyslogd
tcp6
0
0 :::514
:::*
759/rsyslogd
udp
0
0 0.0.0.0:514
0.0.0.0:*
759/rsyslogd
udp6
0
0 :::514
:::*
759/rsyslogd

LISTEN
LISTEN

Client setup:
Install syslog package, if you do not have it installed. Edit /etc/rsyslog.conf
[root@client ~]# vi /etc/rsyslog.conf

At the end of file place the following line to point the client message log to the server
*.info;mail.none;authpriv.none;cron.none

@192.168.12.131

You can either mention @hostname or @ip address.


Restart the syslog service
[root@client ~]# systemctl restart rsyslog.service

Now all the message logs are sent to the central server and also it keeps the copy locally.

Firewall Port opening (Optional):


Mostly all the production environment are protected by hardware firewall, ask them to open
the TCP & UDP 514.
If you have IP tables enabled, run the following command on server in order to accept
incoming traffic on UDP / TCP port 514.
[root@server ~]#firewall-cmd --permanent --zone=public --add-port=514/tcp
[root@server ~]#firewall-cmd --permanent --zone=public --add-port=514/udp
[root@server ~]#firewall-cmd --reload

You can verify the port opening by issuing the following command from the client.
[root@client ~]# telnet 192.168.12.131 514
Trying 192.168.12.131...
Connected to 192.168.12.131.
Escape character is '^]'.

If it didnt give any reply, disable firewall on both client and server.

Test:
Monitor the activity from the log server, open the message log.
[root@server ~]# tailf /var/log/messages

I have installed and started vsftpd on client machine, you can see both are recorded in
syslog server.
Oct
Oct
Oct

5 06:03:53 client yum[2425]: Installed: vsftpd-3.0.2-9.el7.x86_64


5 06:04:13 client systemd: Starting Vsftpd ftp daemon...
5 06:04:13 client systemd: Started Vsftpd ftp daemon.

By this way you can monitor the other logs such as secure, mail, cron logs etc.

You might also like