Hamsa K
6 min read | 3 months ago

How to Setup Syslog server in Centos 7

How to create centralized log server in Centos /RHEL 7

This is very useful to manage the logs of your client systems from a common place. You don’t have to visit the client systems when you want to check the log files of your client systems. if you have large number of systems on your network and want to do the log management from a centralized dedicated log server.

Server setup

My server ip:

Install rsyslog package if it is not installed already.

[root@centos ~]# yum install rsyslog

Then edit /etc/rsyslog.conf

[root@centos ~]# vi /etc/rsyslog.conf

Find below lines 

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

Uncomment above lines to enable syslog server to listen on tcp and udp port.

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

save and exit file.

Add the following lines to create a template to storing the logs forwarded by the clients

$template TmplAuth, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
$template TmplMsg, "/var/log/client_logs/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
*.info;mail.none;authpriv.none;cron.none ?TmplMsg

save and exit file.

Allow Rsyslog default port 514 on your firewall 

[root@centos ~]# firewall-cmd --permanent --zone=public --add-port=514/tcp
[root@centos ~]# firewall-cmd --permanent --zone=public --add-port=514/udp
[root@centos ~]# firewall-cmd --reload

start and enable syslog service.

[root@centos ~]# systemctl restart rsyslog.service
[root@centos ~]# systemctl enable rsyslog.service

Verify the syslog server listening

[root@centos ~]# netstat -antup | grep 514
tcp        0      0   *               LISTEN      2382/rsyslogd       
tcp6       0      0 :::514                  :::*                    LISTEN      2382/rsyslogd       
udp        0      0   *                           2382/rsyslogd       
udp6       0      0 :::514                  :::*                                2382/rsyslogd 

Clent system setup

My client system ip:

Install syslog package, if you do not have it installed. Edit /etc/rsyslog.conf

At the end of file place the following line to point the client message log to the server

*.info;mail.none;authpriv.none;cron.none   @

You can also mention the FQDN of your Rsyslog server instead of IP address.

save and close rsyslog config file.

Now you can enable and start rsyslog service.

[root@client ~]# systemctl enable rsyslog
[root@client ~]# systemctl stop rsyslog
[root@client ~]# systemctl start rsyslog
[root@client ~]# systemctl status rsyslog

You can verify the port opening by issuing the following commands from client.

[root@client ~]# telnet 514

Run anything on your client system.For testing i am restarting apache service and running test message like below.

[root@client ~]# systemctl restart httpd
[root@client ~]# logger -i -t lampblogs "This is our first log test."

Now, go to the Rsyslog server machine and check if this log is found.

[root@centos ~]# tail -f /var/log/messages
Aug 26 17:30:21 client systemd: Stopping The Apache HTTP Server...
Aug 26 17:30:22 client systemd: Starting The Apache HTTP Server...
Aug 26 17:30:22 client httpd: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::ca5a:2c4e:3591:874d. Set the 'ServerName' directive globally to suppress this message
Aug 26 17:30:23 client systemd: Started The Apache HTTP Server.
Aug 26 17:32:39 client lampblogs[9420]: This is our first log test.

Likewise you can add multiple clients and check each client logs in following server folder path.

[root@centos ~]# cd /var/log/client_logs/
[root@centos client_logs]# ls
centos  client
[root@centos client_logs]# cd client/
[root@centos client]# ls
dbus.log  dhclient.log  httpd.log  journal.log  lampblogs.log  rsyslogd.log  systemd.log

Note: You can also log particular items. Say for example, to log only mail messages or cron only stuff or evrything, then add any of the following lines under RULES section.

mail.* @    ### Mails only ###
cron.* @    ### cron only  ###
*.* @       ### Everything ###

That’s all. Rsyslog server and client configuration is done successfully.

Warning! This site uses cookies
By continuing to browse the site, you are agreeing to our use of cookies. Read our terms and privacy policy