Today we will setup a centralized syslog server on CentOS 8 / RHEL 8 to let the Linux admin read multiple server logs in a single place.
Linux labels (auth, cron, FTP, LPR, authpriv, news, mail, syslog, etc..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc..).
You can find more information on Message Labels and Severity Levels
Environment
Contents
Two Linux servers ( server and client).
server.itzgeek.local 192.168.0.10
client.itzgeek.local 192.168.0.20
Server setup
Install the rsyslog package on the syslog server in case the package doesn’t already exist.
dnf install -y rsyslog
Edit the /etc/rsyslog.conf file.
vi /etc/rsyslog.conf
Protocol
Rsyslog supports both UDP and TCP protocol for receiving logs. It is up to you to decide which protocol you want to use.
Rsyslog suggests the use of TCP protocol for reliable log delivery.
UDP
Uncomment the following to enable the syslog server to listen on the UDP port.
FROM:
# Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html # module(load="imudp") # needs to be done just once # input(type="imudp" port="514")
TO:
# Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="514")
TCP
Uncomment the following to enable the syslog server to listen on the TCP port.
FROM:
# Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html #module(load="imtcp") # needs to be done just once #input(type="imtcp" port="514")
TO:
# Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imtcp") # needs to be done just once input(type="imtcp" port="514")
Restart the syslog service
systemctl restart rsyslog
Verify the syslog server listening on the port 514.
netstat -antup | grep 514
Output:
udp 0 0 0.0.0.0:514 0.0.0.0:* 30918/rsyslogd udp6 0 0 :::514 :::* 30918/rsyslogd
Client setup
Install the rsyslog package on the client in case the package doesn’t already exist.
dnf install -y rsyslog
Edit the /etc/rsyslog.conf file.
vi /etc/rsyslog.conf
At the end of the file, place the following line to forward the client’s log messages to the centralized syslog server.
UDP:
action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="udp")
TCP:
action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="tcp")
You can also use the hostname in Target.
Restart the syslog service
systemctl restart rsyslog
Now all the message logs are sent to the central server and also it keeps the copy locally.
Firewall
If the system has FirewallD, run the following command on the syslog server to accept incoming traffic on port 514.
UDP:
firewall-cmd --permanent --add-port=514/udp firewall-cmd --reload
TCP:
firewall-cmd --permanent --add-port=514/tcp firewall-cmd --reload
Validate
Goto the syslog server and view the messages log file.
tail -f /var/log/messages
I have installed and started vsftpd on the client machine, you can see both are recorded in a syslog server.
Jan 31 03:21:07 client systemd[1]: Stopping System Logging Service... Jan 31 03:21:08 client rsyslogd[30944]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30944" x-info="http://www.rsyslog.com"] exiting on signal 15. Jan 31 03:21:08 client systemd[1]: Stopped System Logging Service. Jan 31 03:21:08 client systemd[1]: Starting System Logging Service... Jan 31 03:21:08 client rsyslogd[30952]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime [v8.37.0-13.el8 try http://www.rsyslog.com/e/2442 ] Jan 31 03:21:08 client systemd[1]: Started System Logging Service. Jan 31 03:21:08 client rsyslogd[30952]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30952" x-info="http://www.rsyslog.com"] start
Conclusion
That’s All. I hope you successfully set up a centralized syslog server on CentOS 8 / RHEL 8. You can also use open-source log management tools like ELK stack or Graylog for more advanced features such as web interface, correlating log events, etc.