Top Menu

Saturday, March 22, 2014

How to configure central Syslog in Red Hat Enterprise Linux 6

Rsyslog- Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network.

Packages- rsyslog
Port No- 514
Daemon- rsyslog
Script- /etc/init.d/rsyslog
Conf file- /etc/rsyslog.conf

My Rsyslog Server Details :
Syslog Server: syslog01.sourav.com 192.168.1.254
Client Server: client01.sourav.com 192.168.1.100

Server Side Configuration-

Step-1. Install 'rsylog' Package..
# yum install rsylog -y

Step-2. Next, we need to tell rsyslog to accept remote TCP and UDP syslog requests.

Open file “/etc/rsyslog.conf” and change the below lines.

 # Provides UDP syslog reception
# $ModLoad imudp ---->Uncomment this line
# $UDPServerRun 514 ---->Uncomment this line
# Provides TCP syslog reception
# $ModLoad imtcp ---->Uncomment this line
# $InputTCPServerRun 514 ---->Uncomment this line

To do this-

#vim / etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

:wq!

Step-3. Restart the rsyslog service.
# service rsyslog restart

Step-4. open the syslog ports on your local firewall.
# iptables -I INPUT -p tcp --dport 514 -j ACCEPT
# iptables -I INPUT -p udp --dport 514 -j ACCEPT
# service iptables save

Client Side Configuration-

Step-1. Install 'rsylog' Package..

# yum install rsylog -y

Step-2. Edit “/etc/rsyslog.conf” and under the 'RULES' section, add the below line to enable ALL syslog events to be sent to the remote server.
#*.* @@remote-host:514 ---->Uncomment this line and change

To do this-

#vim /etc/rsyslog.conf
# remote host is: name/ip:port, e.g. 192.168.1.254:514, port optional
mail.* @@syslog01.sourav.com

OR

# remote host is: name/ip:port, e.g. 192.168.1.254:514, port optional
*.* @@192.168.1.254:514

:wq!

Step-3. Restart the rsyslog service.
# service rsyslog restart

Step-4. Test configuration-

Client side runs below command for Testing
For example, I am installing something via yum or generate some log, I have run below command

# logger "I am generating log for testing to remote rsyslog server"

# logger "I am generating log for testing to remote rsyslog server"
# logger "I am generating log for testing to remote rsyslog server"
# logger "I am generating log for testing to remote rsyslog server"
Step-5. Check log on server side -

You will see the below appear in the logs on your syslog server-
#tailf /var/log/messages or cat /var/log/messages
2014-03-22T20:35:23+05:08 client root: I am generating log for testing to remote rsyslog server
2014-03-22T20:35:23+05:08 client root: I am generating log for testing to remote rsyslog server
2014-03-22T20:35:23+05:08 client root: I am generating log for testing to remote rsyslog server
2014-03-22T17:35:24+05:08 client root: I am generating log for testing to remote rsyslog server