Rsyslog is a free and open source logging program. It is available on CentOS 8 and RHEL 8 by default. It provides a simple and efficient way to “centralize logging” from a client node to a single central server. There are two benefits to logging centralization. First, it simplifies log viewing because a system administrator can view all the logs of a remote server from a central node without logging into each client system to check the logs. This can be very useful if you need to monitor multiple servers, and secondly, if the remote client crashes, you don’t have to worry about losing logs because all logs are kept on the central Rsyslog server. Rsyslog replaces syslog that supports UDP only. It extends the basic syslog protocol with excellent features such as support for UDP and TCP when transferring logs, enhanced filtering capabilities, and flexible configuration options. Let’s discuss how to configure the Rsyslog server on CentOS 8 / RHEL 8.
Conditions in advance
We will set up the following experimental environment to test the centralized logging process:
- Rsyslog server CentOS 8 Minimal IP address: 10.128.0.47
- RHEL 8 Minimal IP address: 10.128.0.48
With the above setup, we will demonstrate how to set up the Rsyslog server and then configure the client system to send logs to the Rsyslog server for monitoring.
Let’s get started!
Configure the Rsyslog server on CentOS 8
By default, Rsyslog is installed on a CentOS 8 or RHEL 8 server. To verify the status of Rsyslog, log in over SSH and run the following command:
$ systemctl status rsyslog
Copy the code
Example output:
If for some reason Rsyslog does not exist, you can install it using the following command:
$ sudo yum install rsyslog
Copy the code
Next, you need to modify some Settings in the Rsyslog configuration file. Open the configuration file:
$ sudo vim /etc/rsyslog.conf
Copy the code
Scroll and uncomment the following lines to allow logs to be received over UDP:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
Copy the code
Similarly, if you wish to enable TCP Rsyslog reception, uncomment the following line:
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
Copy the code
Save and exit the configuration file.
To receive logs from the client system, we need to turn on the Rsyslog default port 514 on the firewall. To do this, run:
# sudo firewall-cmd --add-port=514/tcp --zone=public --permanent
Copy the code
Next, reload the firewall to save the changes:
# sudo firewall-cmd --reload
Copy the code
Example output:
Next, restart the Rsyslog server:
$ sudo systemctl restart rsyslog
Copy the code
To run Rsyslog on startup, run the following command:
$ sudo systemctl enable rsyslog
Copy the code
To confirm that the Rsyslog server is listening on port 514, use the netstat command, as shown below:
$ sudo netstat -pnltu
Copy the code
Example output:
Perfect! We have successfully configured the Rsyslog server to receive logs from the client system.
To view log messages in real time, run the following command:
$ tail -f /var/log/messages
Copy the code
Now configure the client system.
Configure the client system on RHEL 8
As with the Rsyslog server, log in and check whether the Rsyslog daemon is running with the following command:
$ sudo systemctl status rsyslog
Copy the code
Example output:
Next, open the rsyslog configuration file:
$ sudo vim /etc/rsyslog.conf
Copy the code
At the end of the file, add the following line:
*. * @ 10.128.0.47:514# Use @ for UDP protocol*. * @ @ 10.128.0.47:514# Use @@ for TCP protocol
Copy the code
Save and exit the configuration file. Just like the Rsyslog server, open port 514, which is the default Rsyslog port on the firewall:
$ sudo firewall-cmd --add-port=514/tcp --zone=public --permanent
Copy the code
Next, reload the firewall to save the changes:
$ sudo firewall-cmd --reload
Copy the code
Next, restart the rsyslog service:
$ sudo systemctl restart rsyslog
Copy the code
To run Rsyslog on startup, run the following command:
$ sudo systemctl enable rsyslog
Copy the code
Test logging operations
Now that you have successfully installed and configured the Rsyslog server and client, it’s time to verify that your configuration is working as expected.
On the client system, run the following command:
# logger "Hello guys! This is our first log"
Copy the code
Now go to the Rsyslog server and run the following command to see the log messages in real time:
# tail -f /var/log/messages
Copy the code
The output of the command run on the client system is shown in the logs of the Rsyslog server, which means that the Rsyslog server is receiving logs from the client system:
That’s it! We successfully set up the Rsyslog server to receive log messages from the client system.
Via: www.linuxtechi.com/configure-r…
By James Kiarie (lujun9972
This article is originally compiled by LCTT and released in Linux China