Published on

rsyslog Server Installation on RHEL

Authors
  • Name
    Jackson Chen

Implement RHEL rsyslog Server (RHEL 7 or later)

https://www.rsyslog.com/doc/master/index.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-configuring_rsyslog_on_a_logging_server

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/configuring-a-remote-logging-solution_configuring-basic-system-settings

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s1-configuring_rsyslog_on_a_logging_server

The rsyslog service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server.

In /etc/rsyslog.conf, which is the main configuration file for rsyslog, you can specify the rules according to which rsyslogd handles the messages. Generally, you can classify messages by their source and topic (facility) and urgency (priority), and then assign an action that should be performed when a message fits these criteria.

In /etc/rsyslog.conf, you can also see a list of log files maintained by rsyslogd. Most log files are located in the /var/log/ directory. Some applications, such as httpd and samba, store their log files in a subdirectory within /var/log/.

rsyslog default uses TCP port 514

/etc/rsyslog.conf is the rsyslog configuration file

Add a new disk to RHEL, and mount the new disk to /data/syslog

1. Install rsyslog package
dnf install rsyslog (or yum install rsyslog)    # install rsyslog package
    dnf install policycoreutils-python  # install package for using semanage

2. Configure /etc/rsyslog.conf file
# Configuring rsyslog to Receive and Sort Remote Log Messages
# Add these lines below the modules section but above the Provides UDP syslog reception section
# The syslog will be stored at the following directories
# Authentiaton:     /data/syslog/remote/auth/
# Messages:         /data/syslog/remote/msg/

#### MODULES ####
# These are the templates that will be applied to the incoming syslog from other systems
template(name="TmplAuthpriv" type="list") {
    constant(value="/data/syslog/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/data/syslog/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
    }

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514" ruleset="remote1")

# Replace the default Provides TCP syslog reception section with the following:
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514" ruleset="remote1")

# To discard not required incoming syslog, please below before include line
# Discard F5 UDP health check message
:rawmsg, isequal, "default send string" stop

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")
  1. Restart rsyslog service
service rsyslog restart
  1. Configure RHEL system to permit rsyslog traffic on the required port If rsyslog is listening on other port rather than TCP 514, run below commands If using the default TCP 514, skip step 4)
dnf install policycoreutils-python  # Install the package for semanage tool
semanage port -a -t syslogd_port_t -p tcp <Required Port>
semanage port -l | grep syslog
service rsyslog restart
netstat -tnlp | grep rsyslog    # Verify rsyslog listening port
  1. Configure iptables Firewall
# Update /etc/sysconfig/iptables file
-A INPUT -m state --state NEW -m tcp -p tcp --dport <required port> -j ACCEPT

# Restart iptables service
service iptables restart
  1. Set rsyslog service starts automatically on reboot
chkconfig rsyslog on

Your log server is now configured to receive and store log files from the other systems in your environment.

Configure logs saving to database

https://www.tecmint.com/manage-linux-system-logs-using-rsyslogd-and-logrotate/

rsyslog Troubleshooting

service rsyslog status  # verify rsyslog running status
netstat -lnup | grep 514   # verify udp
netstat -lntp | grep 514   # verify tcp
netstat -anp | grep rsyslogd
netstat -antup | grep 514

# rsyslog doesn't listen on INET sockets by default. Instead, it binds to /dev/log, which is a Unix domain socket
ls -la /proc/$(pidof rsyslogd)/fd 

tail -f /var/log/messages   # On rsyslog server, view the messages log file
Discuss on TwitterView on GitHub