Setup Central Logging Server in CentOS 7

Discover how to set up a Central Logging Server in CentOS 7 with this detailed guide. Follow step-by-step instructions to centralize your logs for easier management and improved system monitoring. #centlinux #linux #syslog

What is rsyslog?

rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

rsyslog is an open-source software utility for forwarding log messages in an IP network. It is a reliable and extended syslog daemon that offers high performance, security, and flexibility in logging. Here are some key features and functions of rsyslog:

1. Log Collection and Forwarding: rsyslog collects log messages from various sources and can forward them to other systems for centralized logging.
2. High Performance: Capable of processing millions of messages per second, making it suitable for high-traffic environments.
3. Support for Multiple Protocols: rsyslog supports several protocols for log transmission, including TCP, UDP, and RELP (Reliable Event Logging Protocol).
4. Flexible Configuration: Offers a highly configurable rule-based system for filtering and routing log messages.
5. Secure Logging: Provides options for encrypted log transmission using TLS/SSL to ensure the security and integrity of log data.
6. Modular Architecture: Extensible through modules that add functionalities such as database support, message queue integration, and more.
7. Compatibility: Compatible with the traditional syslog protocol, making it easy to integrate with existing logging infrastructure.
8. Advanced Features: Includes features like log rotation, rate limiting, and multi-threading to handle large volumes of log data efficiently.

rsyslog is commonly used in modern IT environments for centralizing and managing logs from multiple sources, ensuring that logs are stored, analyzed, and monitored effectively.

Read Also: How to use Logrotate in Linux

Linux Server Specification

In this article, we will setup central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

Recommended Training: Complete Linux Training Course to Get Your Dream IT Job 2025 from Imran Afzal

Configure Central Logging Server in CentOS 7

rsyslog is by default installed on most of the Linux distros including CentOS 7.

Connect to rsyslog-server.example.com and check status of rsyslog.service.

systemctl status rsyslog.service

Output:

rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago
 Main PID: 759 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ759 /usr/sbin/rsyslogd -n

Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog is already installed on our Linux server, and its service is already started.

Now we are configuring rsyslog settings to accept input from other machines.

vi /etc/rsyslog.conf

Find and uncomment following two directives.

$ModLoad imtcp
$InputTCPServerRun 514

Save settings and restart the rsyslog.service.

systemctl restart rsyslog.service

Allow rsyslog service port in Linux firewall.

firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reload

Our rsyslog server has been configured to received input from other log sources via port 514/tcp

Universal 65W USB C Laptop Charger Replacement for Lenovo,HP, Dell, Acer, Asus, Samsung, Google and More, for Office, School, and Family

(48521)

$7.99 (as of May 31, 2025 17:49 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

rsyslog Configuration for CentOS 7 Clients

.Connect to rsyslog-client.example.com and check status of rsyslog.service.

systemctl status rsyslog.service

Output:

rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left
 Main PID: 742 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ742 /usr/sbin/rsyslogd -n

Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog service is already installed and running on our CentOS 7 based client machine.

Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

Restart the rsyslog service to apply changes.

systemctl restart rsyslog.service

Now connect to our rsyslog server and check /var/log/messages

tail /var/log/messages

We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

We have successfully configure a central logging server using rsyslog on CentOS 7.

Frequently Asked Questions (FAQs)

1. What is a central logging server?

A central logging server collects and stores log files from multiple systems in one place, making it easier to monitor and analyze logs across your network.

2. Which software is commonly used for central logging in CentOS 7?

Rsyslog is a popular choice for setting up a basic central logging server on CentOS 7 due to its reliability and ease of configuration.

3. Do I need to open firewall ports for a logging server?

Yes, you must allow traffic on the port used for log forwarding (default: UDP 514 or TCP 514) in firewalld or iptables.

4. Can I encrypt log transmissions for security?

Yes, you can configure TLS encryption in Rsyslog to secure log data while transferring it from clients to the central server.

5. How do I check if logs are being received on the server?

Monitor the log files in /var/log/ or check Rsyslog’s status using:

systemctl status rsyslog  

Logs from remote systems are typically stored in separate directories or files based on configuration.

Mastering Ubuntu Server: Explore the versatile, powerful Linux Server distribution Ubuntu 22.04 with this comprehensive guide

(465106)

$37.49 (as of May 30, 2025 17:35 GMT +00:00 – More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)

Final Thoughts

Setting up a Central Logging Server in CentOS 7 is an essential task for centralized log management and improved system monitoring. By following this guide, you should now have a functional logging server that consolidates logs from multiple sources, making it easier to monitor and troubleshoot your systems.

Looking for a Linux server expert? I provide top-tier administration, performance tuning, and security solutions for your Linux systems. Explore my Fiverr profile for details!