How to setup Central Logging Server in CentOS 7

In this configuration guide, you will learn how to setup Central Logging server in CentOS 7. #centlinux #linux #syslog

What is rsyslog? :

rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

In this article, we will setup central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

Read Also: How to use Logrotate in Linux

Environment Specification:

We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

Configure Central Logging Server in CentOS 7:

rsyslog is by default installed on most of the Linux distros including CentOS 7.

Connect to rsyslog-server.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago
 Main PID: 759 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ759 /usr/sbin/rsyslogd -n

Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog is already installed on our CentOS 7 server, and its service is already started.

Now we are configuring rsyslog settings to accept input from other machines.

# vi /etc/rsyslog.conf

Find and uncomment following two directives.

$ModLoad imtcp
$InputTCPServerRun 514

Save settings and restart the rsyslog.service.

# systemctl restart rsyslog.service

Allow rsyslog service port in Linux firewall.

# firewall-cmd --permanent --add-port=514/tcp
success
# firewall-cmd --reload
success

Our rsyslog server has been configured to received input from other log sources via port 514/tcp

Configuring rsyslog Client on CentOS 7:

.Connect to rsyslog-client.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left
 Main PID: 742 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ742 /usr/sbin/rsyslogd -n

Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog service is already installed and running on our CentOS 7 based client machine.

Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

Restart the rsyslog.service to apply changes.

# systemctl restart rsyslog.service

Now connect to our rsyslog server and check /var/log/messages

# tail /var/log/messages
Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket.
Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM....
Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM..
Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server.
Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server.
Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start
Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service.
Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16.

We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

We have successfully configure a central login server using rsyslog on CentOS 7.

Conclusion:

In this configuration guide, you have learned, how to setup Central Logging server in CentOS 7.