How to setup Central Logging Server in CentOS 7

Discover how to set up a Central Logging Server in CentOS 7 with this detailed guide. Follow step-by-step instructions to centralize your logs for easier management and improved system monitoring. #centlinux #linux #syslog

What is rsyslog?

rsyslog is responsible for log processing in CentOS 7. rsyslog is abbreviation of ‘Rocket Fast System for Log processing’. rsyslog offers high-performance, great security features and modular design. It can accept input from wide variety of sources, transform it and output the result to diverse destinations.

rsyslog is an open-source software utility for forwarding log messages in an IP network. It is a reliable and extended syslog daemon that offers high performance, security, and flexibility in logging. Here are some key features and functions of rsyslog:

1. Log Collection and Forwarding: rsyslog collects log messages from various sources and can forward them to other systems for centralized logging.
2. High Performance: Capable of processing millions of messages per second, making it suitable for high-traffic environments.
3. Support for Multiple Protocols: rsyslog supports several protocols for log transmission, including TCP, UDP, and RELP (Reliable Event Logging Protocol).
4. Flexible Configuration: Offers a highly configurable rule-based system for filtering and routing log messages.
5. Secure Logging: Provides options for encrypted log transmission using TLS/SSL to ensure the security and integrity of log data.
6. Modular Architecture: Extensible through modules that add functionalities such as database support, message queue integration, and more.
7. Compatibility: Compatible with the traditional syslog protocol, making it easy to integrate with existing logging infrastructure.
8. Advanced Features: Includes features like log rotation, rate limiting, and multi-threading to handle large volumes of log data efficiently.

rsyslog is commonly used in modern IT environments for centralizing and managing logs from multiple sources, ensuring that logs are stored, analyzed, and monitored effectively.

Recommended Online Training: Learn Bash Shell in Linux for Beginners

Read Also: How to use Logrotate in Linux

Linux Server Specification

In this article, we will setup central logging server using rsyslog on CentOS 7 and then we will configure CentOS 7 clients to submit their local logs to this rsyslog based central logging server.

We are using two virtual machines, one as the rsyslog server and the other as the rsyslog client.

Configure Central Logging Server in CentOS 7

rsyslog is by default installed on most of the Linux distros including CentOS 7.

Connect to rsyslog-server.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sat 2018-08-11 21:15:52 PDT; 27min ago
 Main PID: 759 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ759 /usr/sbin/rsyslogd -n

Aug 11 21:15:52 rsyslog-server.example.com systemd[1]: Started System Logging Serv...
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog is already installed on our Linux server, and its service is already started.

Now we are configuring rsyslog settings to accept input from other machines.

# vi /etc/rsyslog.conf

Find and uncomment following two directives.

$ModLoad imtcp
$InputTCPServerRun 514

Save settings and restart the rsyslog.service.

# systemctl restart rsyslog.service

Allow rsyslog service port in Linux firewall.

# firewall-cmd --permanent --add-port=514/tcp
success
# firewall-cmd --reload
success

Our rsyslog server has been configured to received input from other log sources via port 514/tcp

rsyslog Configuration for CentOS 7 Clients

.Connect to rsyslog-client.example.com and check status of rsyslog.service.

# systemctl status rsyslog.service
rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
   Active: active (running) since Sun 2018-08-12 02:16:31 PDT; 4h 6min left
 Main PID: 742 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           ââ742 /usr/sbin/rsyslogd -n

Aug 12 02:16:31 rsyslog-client.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

rsyslog service is already installed and running on our CentOS 7 based client machine.

Now configure rsyslog client to transmit its log to our rsyslog server by adding the following directives in /etc/rsyslog.conf

# echo "*.* @@rsyslog-server.example.com:514" >> /etc/rsyslog.conf

Restart the rsyslog service to apply changes.

# systemctl restart rsyslog.service

Now connect to our rsyslog server and check /var/log/messages

# tail /var/log/messages
Aug 11 22:31:28 rsyslog-server systemd: Closed ipa-otpd socket.
Aug 11 22:31:28 rsyslog-server systemd: Stopping 389 Directory Server EXAMPLE-COM....
Aug 11 22:31:29 rsyslog-server systemd: Stopped 389 Directory Server EXAMPLE-COM..
Aug 11 22:31:29 rsyslog-server systemd: Stopping 389 Directory Server.
Aug 11 22:31:29 rsyslog-server systemd: Stopped target 389 Directory Server.
Aug 11 22:33:32 rsyslog-client rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3063" x-info="http://www.rsyslog.com"] start
Aug 11 22:33:32 rsyslog-client systemd: Stopping System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Starting System Logging Service...
Aug 11 22:33:32 rsyslog-client systemd: Started System Logging Service.
Aug 11 22:33:56 rsyslog-client systemd-logind: Removed session 16.

We can see that rsyslog-client.example.com is forwarding its logs to rsyslog-server.example.com.

We have successfully configure a central logging server using rsyslog on CentOS 7.

If you are new to Linux and facing difficulty in working at Linux Bash prompt. We recommend that, you should read The Linux Command Line, 2nd Edition: A Complete Introduction by William Shotts.

Final Thoughts

Setting up a Central Logging Server in CentOS 7 is an essential task for centralized log management and improved system monitoring. By following this guide, you should now have a functional logging server that consolidates logs from multiple sources, making it easier to monitor and troubleshoot your systems.

If you need further assistance or customized solutions for your logging setup, I offer professional services to help you with your Linux server configuration needs. Feel free to check out my Fiverr gig for more details: Linux Server Administrator. I’m here to ensure your system is optimized and running smoothly!