How To Setup Centralized SysLog Server On CentOS 8 / RHEL 8

Today we will setup a centralized syslog server on CentOS 8 / RHEL 8 to let the Linux admin read multiple server logs in a single place.

Linux labels (auth, cron, FTP, LPR, authpriv, news, mail, syslog, etc..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc..).

You can find more information on Message Labels and Severity Levels

Environment

Contents

1 Environment
2 Server setup
- 2.1 Protocol
  - 2.1.1 UDP
  - 2.1.2 TCP
3 Client setup
4 Firewall
5 Validate
6 Conclusion

Two Linux servers ( server and client).

server.itzgeek.local 192.168.0.10

client.itzgeek.local 192.168.0.20

Server setup

Install the rsyslog package on the syslog server in case the package doesn’t already exist.

dnf install -y rsyslog

Edit the /etc/rsyslog.conf file.

vi /etc/rsyslog.conf

Protocol

Rsyslog supports both UDP and TCP protocol for receiving logs. It is up to you to decide which protocol you want to use.

Rsyslog suggests the use of TCP protocol for reliable log delivery.

UDP

Uncomment the following to enable the syslog server to listen on the UDP port.

FROM:

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
# module(load="imudp") # needs to be done just once
# input(type="imudp" port="514")

TO:

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

TCP

Uncomment the following to enable the syslog server to listen on the TCP port.

FROM:

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

TO:

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

Restart the syslog service

systemctl restart rsyslog

Verify the syslog server listening on the port 514.

netstat -antup | grep 514

Output:

udp 0 0 0.0.0.0:514 0.0.0.0:* 30918/rsyslogd udp6 0 0 :::514 :::* 30918/rsyslogd

Client setup

Install the rsyslog package on the client in case the package doesn’t already exist.

dnf install -y rsyslog

Edit the /etc/rsyslog.conf file.

vi /etc/rsyslog.conf

At the end of the file, place the following line to forward the client’s log messages to the centralized syslog server.

UDP:

action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="udp")

TCP:

action(type="omfwd" Target="192.168.0.10" Port="514" Protocol="tcp")

You can also use the hostname in Target.

Restart the syslog service

systemctl restart rsyslog

Now all the message logs are sent to the central server and also it keeps the copy locally.

Firewall

If the system has FirewallD, run the following command on the syslog server to accept incoming traffic on port 514.

UDP:

firewall-cmd --permanent --add-port=514/udp firewall-cmd --reload

TCP:

firewall-cmd --permanent --add-port=514/tcp firewall-cmd --reload

Validate

Goto the syslog server and view the messages log file.

tail -f /var/log/messages

I have installed and started vsftpd on the client machine, you can see both are recorded in a syslog server.

Jan 31 03:21:07 client systemd[1]: Stopping System Logging Service...
Jan 31 03:21:08 client rsyslogd[30944]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30944" x-info="http://www.rsyslog.com"] exiting on signal 15.
Jan 31 03:21:08 client systemd[1]: Stopped System Logging Service.
Jan 31 03:21:08 client systemd[1]: Starting System Logging Service...
Jan 31 03:21:08 client rsyslogd[30952]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime [v8.37.0-13.el8 try http://www.rsyslog.com/e/2442 ]
Jan 31 03:21:08 client systemd[1]: Started System Logging Service.
Jan 31 03:21:08 client rsyslogd[30952]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="30952" x-info="http://www.rsyslog.com"] start

Conclusion

That’s All. I hope you successfully set up a centralized syslog server on CentOS 8 / RHEL 8. You can also use open-source log management tools like ELK stack or Graylog for more advanced features such as web interface, correlating log events, etc.

Search Engine Optimization (SEO) is a crucial strategy for enhancing a website‘s visibility in organic search results, driving traffic, and improving online presence. By optimizing content and keywords, businesses can attract targeted audiences, improve brand credibility, and enhance user experience. SEO offers long-term benefits by continuously drawing organic traffic without the need for ongoing ad… […]

Optimizing the speed of a WordPress website is essential for ensuring a superior user experience and achieving higher rankings in search engine results. Slow websites not only deter visitors but also impact your site’s SEO negatively. Fortunately, there are various strategies you can employ to enhance your website‘s performance. This comprehensive guide outlines ten simple… […]

How To Setup Centralized SysLog Server On CentOS 8 / RHEL 8

Environment

Server setup

Protocol

UDP

TCP

Client setup

Firewall

Validate

Conclusion

PHP Benchmarks: OPcache vs OPcache w/ Performance Tweaks

Install your HPC Cluster with Warewulf

How To Install Graylog on CentOS 8 / RHEL 8

Translations: The User Guide

Join Our Community Forum: Empowering Your Journey with CloudLinux

BEST Web Hosting

TECHNOBABBLE

How to build a website with WordPress and what are the best plugins to use

Drupal Hosting

© Copyright

Environment

Server setup

Protocol

UDP

TCP

Client setup

Firewall

Validate

Conclusion

Related Posts

© Copyright