How to create centralized log server in Centos /RHEL 7
This is very useful to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.
Server setup
My server ip: 192.168.0.192
Install rsyslog package if it is not installed already.
[root@centos ~]# yum install rsyslogThen edit /etc/rsyslog.conf
[root@centos ~]# vi /etc/rsyslog.confFind below lines
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
Uncomment above lines to enable syslog server to listen on tcp and udp port.
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
save and exit file.
Add the following lines to create a template to storing the logs forwarded by the clients
$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsgsave and exit file.
Allow Rsyslog default port 514 on your firewall
[root@centos ~]# firewall-cmd --permanent --zone=public --add-port=514/tcp
[root@centos ~]# firewall-cmd --permanent --zone=public --add-port=514/udp
[root@centos ~]# firewall-cmd --reload
start and enable syslog service.
[root@centos ~]# systemctl restart rsyslog.service
[root@centos ~]# systemctl enable rsyslog.serviceVerify the syslog server listening
[root@centos ~]# netstat -antup | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2382/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 2382/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 2382/rsyslogd
udp6 0 0 :::514 :::* 2382/rsyslogd Clent system setup
My client system ip: 192.168.0.13
Install syslog package, if you do not have it installed. Edit /etc/rsyslog.conf
At the end of file place the following line to point the client message log to the server
*.info;mail.none;authpriv.none;cron.none @192.168.0.192You can also mention the FQDN of your Rsyslog server instead of IP address.
save and close rsyslog config file.
Now you can enable and start rsyslog service.
[root@client ~]# systemctl enable rsyslog
[root@client ~]# systemctl stop rsyslog
[root@client ~]# systemctl start rsyslog
[root@client ~]# systemctl status rsyslog
You can verify the port opening by issuing the following commands from client.
[root@client ~]# telnet 192.168.0.192 514Run anything on your client system.For testing i am restarting apache service and running test message like below.
[root@client ~]# systemctl restart httpd
[root@client ~]# logger -i -t lampblogs "This is our first log test."
Now, go to the Rsyslog server machine and check if this log is found.
[root@centos ~]# tail -f /var/log/messages
Aug 26 17:30:21 client systemd: Stopping The Apache HTTP Server...
Aug 26 17:30:22 client systemd: Starting The Apache HTTP Server...
Aug 26 17:30:22 client httpd: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ca5a:2c4e:3591:874d. Set the 'ServerName' directive globally to suppress this message
Aug 26 17:30:23 client systemd: Started The Apache HTTP Server.
Aug 26 17:32:39 client lampblogs[9420]: This is our first log test.
Likewise you can add multiple clients and check each client logs in following server folder path.
[root@centos ~]# cd /var/log/client_logs/
[root@centos client_logs]# ls
centos client
[root@centos client_logs]# cd client/
[root@centos client]# ls
dbus.log dhclient.log httpd.log journal.log lampblogs.log rsyslogd.log systemd.logNote: You can also log particular items. Say for example, to log only mail messages or cron only stuff or evrything, then add any of the following lines under RULES section.
mail.* @192.168.0.192:514 ### Mails only ###
cron.* @192.168.0.192:514 ### cron only ###
*.* @192.168.0.192:514 ### Everything ###That’s all. Rsyslog server and client configuration is done successfully.
