How to Setup Rsyslog as a Central Logging Server in CentOS

Rumaisa Niazi
5 min readJul 5, 2021

--

A Guide to Central Logging System

Photo by Markus Spiske on Unsplash

Logs are a critical component of any network infrastructure. They maintain a plethora of diagnostic information from the system operations of the kernel, applications, daemons, services events, to network activity, user actions, and so on.

They maintain transparency of server events to help troubleshoot Linux system issues. The ideal practice is to aggregate logs at a single location to manage and view the log data. Centralizing logs protect against accidental data loss and ensures accessibility in case of server unresponsiveness.

The most popular of all tools for log centralization in Linux systems is Rsyslog. In this guide, we will learn to centralize the Rsyslog logging platform in CentOS.

Rsyslog

Rsyslog is an open-source, powerful, lightweight log processing daemon that accepts messages from all sorts of systems and outputs them in multiple formats. It’s an evolved form of Syslog daemon and has configurations similar to it.

But, it allows additional module inclusion to manage and direct log messages to various log files and devices, offering an enterprise-level log management system.

Rsyslog has a client-server model that enables it to be set as a client or a centralized logging system attaining both roles simultaneously.

It can run as a server collecting logs sent by other network devices. Or, as a client by sending log messages of local system events to a remote syslog server.

For this tutorial, I assume you have both machines. I am setting CentOS as a rsyslog server and Fedora as a workstation for the rsyslog client.

Rsyslog Server Installation

Most Linux distributions come with preinstalled rsyslog package and its dependencies. Execute the following command to verify its installation.

$rpm -qi rsyslog | less

If the package is not already available, use the following command in CentOS.

$sudo yum update && yum install rsyslog

Start the service and enable it to ensure it starts as soon as the system boots.

$sudo systemctl start rsyslog
$sudo systemctl enable rsyslog

Check the service status to confirm its initialization.

$sudo systemctl status rsyslog

Rsyslog Server Configuration

The /etc/rsyslog.conf file is the main configuration file of the rsyslog service, whereas all the log messages are directed towards the files inside the /var/log directory.

The main configuration file contains load modules, global directives, and rules for processing various log details and their respective files. That is, it either record all the log details or only the critical ones.

The modules section allows running specific rsyslog services. By default, the imjournal and imusock modules are set to import systemd journal messages and accept application messages from the local system. Similarly, the imklog module collects kernel messages, respectively.

Set the UDP or TCP protocols and ports in the file to configure rsyslog as a centralized logging server. To set UDP protocol, which is a faster but unreliable protocol, search and uncomment the following lines.

#module(load=”imudp”)
#input(type=”imudp” port=”514")

To set TCP, which is a more reliable connection, search and uncomment the following lines.

#module(load=”imtcp”)
#input(type=”imtcp” port=”514")

Replace the port number with the port address that client uses to send messages. For this setup, we will use both connections.

Configure Rsyslog Rules

Setting up rules is the most crucial part of configuring the /etc/rsyslog.conf file. Following is an example of some of the rules from the Rules section.

The ruleset syntax for processing and saving remote logs is as follows:

facility.priority()(for processing log messages rules) destination (where to store log)
  • facility: the type of process sending logs, can be kernel, cron, daemon, etc.
  • priority: the security level or type of log, emerg (0), alert (1), crit (2), err-(3), warn (4), notice (5), info (6), debug (7).
  • destination: location to save log messages, local file host (/var/log directory), or remote syslog server identified by @ IP:port.

Use of * in place of facility/priority represents all facilities and security levels. No * at priority place indicates no security. All the messages are processed based on facility and priority values.

For instance, mail.info facility.priority will log all details from the mailing service that are informational and above.

Rsyslog Template

Rsyslog offers a feature named template that enables the user to specify and format rsyslog output. We will use a directive $template for dynamic file name generation to receive and sort remote logs from the client/hostname in the /var/log directory under the client’s facility file name.

$template TEMPLATE_NAME,”text %PROPERTY% text”, [OPTION]
$template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMME%.log”
*.* ?RemoteLogs
& ~

Next, we set a rule to accept all types and priorities of messages from the client machine. Whereas, the last line instructs rsyslog to message processing once written to the file. Now save the file and restart rsyslog to apply recent changes.

Now run the netstat command to confirm rsyslog is listening to the ports on 514.

$sudo netstat -pnltu | grep “rsyslogd”

Lastly, open the default Rsyslog port on the CentOS firewall to receive logs from the client machine.

$sudo firewall-cmd — add-port=514/tcp — zone=public — permanent
$sudo firewall-cmd — add-port=514/udp — zone=public — permanent

Lastly, open the default Rsyslog port on the CentOS firewall to receive logs from the client machine.

$sudo firewall-cmd — reload

Configure Rsyslog Client

We will now set Fedora machine as Rsyslog client to send messages to the remote rsyslog server. Check if the service is already running or installed. If not, use the commands from the “Rsyslog Installation” section.

Open the main configuration file and append the following lines at the end of the file.

*.* @server_IP:514 # for UDP protocol*.* @@server_IP:514 #for TCP protocol

The above lines will force the rsyslog service to be a client and send all locally generated log messages from all facilities with all priority levels to the remote server.

To send logs from a specific service, for instance, for kernel messages, use:

kern.* @@server_IP:514

Save the file, enable the firewall to send logs via Rsyslog port 514, and restart the rsyslog service.

$sudo firewall-cmd — add-port=514/tcp — zone=public — permanent
$sudo firewall-cmd — reload
$sudo systemctl restart rsyslog
$sudo systemctl enable rsyslog

Verify Remote Logging

The final step is to verify if the Remoter rsyslog server is logging messages from the client. To verify monitoring, list the /var/log directory to locate ip-client_hostname. If it exists, open the /var/log/client_hostname directory to confirm log files inside it.

$cd /var/log && ls -la |grep “fedora”
drwx------ 2 root root 4096 Jul 6 11:00 fedora
$cd fedora && ls -la

That’s it, guys! You have successfully configured Rsyslog as a central logging server.

Happy Learning!

--

--

Responses (1)