Configure the syslog server in Linux and configure the rsyslog client in CentOS to remotely record logs.

Configure a syslog server on Linux

A syslog server can be used as a log monitoring center in a network. All facilities that can send logs over the network (including Linux or Windows servers, routers, switches, and other hosts) you can send logs to it. By setting a syslog server, you can filter and merge logs sent by different facilities/hosts to an independent location, making it easier for you to view and obtain important log messages.

As a standard syslog daemon, rsyslog is pre-installed in most Linux releases. In the client/server architecture configuration, rsyslog also plays two roles: 1. as a syslog server, rsyslog can collect logs from other facilities; 2. as a syslog client, rsyslog can transmit its internal log information to a remote syslog server.

Here, we demonstrate how to configure a centralized syslog server through rsyslog in linux. Before proceeding to the details, review the syslog standard.

Syslog standard basics

When collecting logs through the syslog mechanism, there are three important considerations:

Facility Level: what type of processes are monitored
Severity (priority) level: the level at which log messages are collected
Target: where to send or record log messages

Now we have a deeper understanding of how the configuration is defined.

The facility level defines a method to classify internal system processes. Some common facilities in linux include:

Auth: Authentication-related messages (at login)
Cron: message related to process or application scheduling
Daemon: daemon-related messages (internal servers)
Kernel: kernel-related messages
Mail: messages related to the internal email server
Syslog: messages related to the syslog daemon itself
Lpr: Print service-related messages
Local0-local7: custom message (local7 is usually used by Cisco and Windows servers)

Severity (priority) levels have fixed standard abbreviations and reference values, where number 7 has the highest level, which includes:

Emerg: Emergency (urgent)-0
Alert: Alerts (alarm)-1
Crit: Critical (key)-2
Err: Errors (error)-3
Warn: Warnings (warning)-4
Notice: Notification-5
Info: Information (Message)-6
Debug: Debugging (Debugging)-7

Finally, the target statement allows a syslog client to execute one of the following three tasks:

Save the log message to a local file;
Use TCP/UDP to route messages to a remote syslog server;
Send it to a standard output, such as the console.

In rsyslog, syslog configuration is structured based on the following mode.

[Facility-level]. [severity-level] [destination]

Configure Rsyslog in Linux

After understanding syslog, we can now use rsyslog to configure a Linux server as a central syslog server, in addition, we will also see how to configure a syslog client on a Windows system to send internal logs to the syslog server.

Step 1: initialize system requirements

To set a linux host as a central log server, we need to create a separate/var partition and allocate enough disk space or create a special LVM volume group. This will enable the syslog server to handle the potential growth of log collection over time.

Step 2: enable rsyslog background processes to take effect

The rsyslog daemon comes from the pre-installed modules of the current linux version, but is not started by default. To enable the rsyslog daemon to receive external messages, you need to edit the configuration file/etc/rsyslog. conf.

Open the file and edit it. Find the location of the following two rows and delete the # character at the beginning of the row to cancel the comment.

$ ModLoad imudp
$ UDPServerRun 514

This enables the rsysolog daemon to receive log messages on UDP port 514. UDP is faster than TCP, but does not have the same data stream reliability as TCP. Therefore, if you need a reliable transfer mechanism, you can cancel the annotation of the following line.

$ ModLoad imtcp
$ Inputtcpserverexecute 514

It should be noted that TCP and UDP can take effect at the same time to listen for TCP/UDP connections.

Step 3: Create a log receiving Template

In this step, we need to create a template for remote messages and inform the rsyslog daemon how to record messages received from other client machines.

Use the text editor to open/etc/rsyslog. conf and append the following template before the GLOBAL ctive VE block.

$ Template RemoteLogs, "/var/log/% HOSTNAME %/% PROGRAMNAME %. log "*
*.*? RemoteLogs
&~

This template is briefly explained here. $ template RemoteLogs (here the "RemoteLogs" string can be any other descriptive name) instructions enable the rsyslog background process to write log messages to a separate local log file under/var/log, the name of the log file is defined based on the host name of the remote log sending machine and the application name that generates the log. The second row implies that the RemoteLogs template is applied to all received logs.

Symbol "&~ "Indicates a redirection rule that is used to notify the rsyslog daemon to stop further processing of log messages and do not write logs locally. If this redirection rule is not used, all remote messages will be written to the local log file in addition to the log file described above, this means that the log message is actually written twice. Another result of using this rule is that the log messages of the syslog server itself will only be in the private file named after the host name of the machine.

If you want to, you can also use the following pattern to directly record log messages for a specific device or severity level using a new template.

[Facility-level]. [severity-level]? RemoteLogs

For example:

Specify all internal user verification messages with all priorities as the RemoteLogs template:

Authpriv .*? RemoteLogs

Specify the message-level logs generated by processes other than mail, user authentication, and cron messages in all system processes as the RemoteLogs template:

*. Info, mail. none, authpriv. none, cron. none? RemoteLogs

If you want to write all messages received from remote clients to a single file named after their IP addresses, you can use the following template. Here we have assigned the "IpTemplate" name to this template.

$ Template IpTemplate, "/var/log/% FROMHOST-IP %. log"
*.*? IpTemplate
&~

After enabling the rsyslog daemon and editing the configuration file, restart the daemon.

In Debian, Ubuntu, or CentOS/RHEL 6:

$ Sudo service rsyslog restart

In Fedora or CentOS/RHEL 7:

$ Sudo systemctl restart rsyslog

We can use the netstat command to verify whether the rsyslog daemon works properly.

$ Sudo netstat-tulpn | grep rsyslog

The rsyslog daemon working on the UDP listening port has output similar to the following.

Udp 0 0 0.0.0.0: 514 0.0.0.0: * 551/rsyslogd
Udp6 0 0: 514: * 551/rsyslogd

If the rsyslog daemon is set on the TCP connection port, there should be output similar to the following.

Tcp 0 0 0.0.0.0: 514 0.0.0.0: * LISTEN 1891/rsyslogd
Tcp6 0 0: 514: * LISTEN 1891/rsyslogd

Send Windows logs to a remote rsyslog server

To forward a log message from a Windows client to our rsyslog server, you must install the Windows syslog agent. Of course, there are many syslog agents that can run on windows. Here we can use a free software program datainsyslogagent.

After downloading and installing the syslog agent, you must configure it to run as a service. Specify the protocol used to send data and the IP address and port of the remote rsyslog server, and specify the event log type to be transmitted, as shown below.

After completing all these configurations, we can start the service and use the command line tool tail-f in the central rsyslog server to view the log files.
Summary

By creating a central rsyslog server that can collect local and remote hosts, we can better understand what is happening inside these systems and debug their problems more easily, whether there is any latency or crash between them.

Configure the rsyslog client on CentOS to remotely record logs.

Rsyslog is an open-source tool widely used in Linux systems to forward or receive log messages over TCP/UDP. The rsyslog daemon can be configured into two environments: one is to configure the log collection server, and the rsyslog process can collect log data from other hosts from the network, these hosts configure to send logs to other remote servers. Another method of rsyslog is to configure it as a client to filter and send internal log messages to a local folder (such as/var/log) or a remote rsyslog server that can be routed.

Assuming that there is already a configured and started rsyslog server in your network, this guide will show you how to configure the CentOS system to route its internal log messages to a remote rsyslog server. This will greatly improve the use of your system disk space, especially when you do not have an independent large partition for the/var directory.

Step 1: install the Rsyslog daemon

On CentOS 6 and 7, the rsyslog daemon has been installed in advance. To verify that rsyslog has been installed on your CentOS system, run the following command:

# Rpm-qa | grep rsyslog
# Rsyslogd-v

If the rsyslog daemon does not appear in your system for some reason, run the following command to install it:

# Yum install rsyslog

Step 2: configure the Rsyslog daemon as the client

The next step is to convert your CentOS machine into an rsyslog client and send all its internal log messages to the remote central log server.

To implement this function, use your favorite text editor to open the main rsyslog configuration file in the/etc path:

# Nano/etc/rsyslog. conf

After enabling the file for editing, you need to add the following declaration to the bottom of the file. Replace the IP address with the IP address of your remote rsyslog server.

*. * @ 192.168.1.25: 514

The preceding statement tells the rsyslog daemon to route various log messages of each device on the system to UDP port 514 of the remote rsyslog server (192.168.1.25.

For some reason, you need more reliable protocols, such as TCP, and the rsyslog server is also configured to listen for TCP connections, you must add an additional @ character before the IP address of the remote host, as shown below:

*. * @ 192.168.1.25: 514

Note that you can also replace the IP address of the rsyslog server with its host name (FQDN ).

If you only want to forward the log messages of the specified device on the server, such as the kernel device, you can use the following statement in the rsyslog configuration file.

Kern. * @ 192.168.1.25: 514

After modifying the configuration file, you need to restart the process to activate the modification:

CentOS 7:

# Systemctl restart rsyslog. service

CentOS 6:

# Service rsyslog restart

Non-syslog log forwarding

In another environment, let's assume that you have installed an application named "foobar" on the machine, and it will generate foobar under/var/log. log file. Now, you want to direct its logs to the rsyslog server, which can be achieved by loading the imfile module in the rsyslog configuration file as follows.

First, load the imfile module, which only needs to be done once.

Module (load = "imfile" PollingInterval = "5 ")

Then, specify the path of the log file so that the imfile module can detect:

Input (type = "imfile"
File = "/var/log/foobar. log"
Tag = "foobar"
Severity = "error"
Facility = "local7 ")

Finally, direct the local7 device to the remote rsyslog server:

Local7. * @ 192.168.1.25: 514

Don't forget to restart the rsyslog process!

Step 3: enable the Rsyslog process to start automatically

To enable the rsyslog client to automatically start after each system restart, run the following command:

CentOS 7:

# Systemctl enable rsyslog. service

CentOS 6:

# Chkconfig rsyslog on

Summary

In this tutorial, I demonstrate how to convert the CentOS system into an rsyslog client to force it to send log messages to a remote rsyslog server. Here I assume that the connection between the rsyslog client and the server is secure (for example, in a firewall-protected corporate network ). In any situation, do not configure the rsyslog client to forward log messages through insecure networks, or, especially through the Internet, because the syslog protocol is a plaintext protocol. For secure transmission, you can use TLS/SSL to encrypt the transmission of log messages.