setup central SysLog server on Centos 7

Posted 07 November, 2015

Today I was searching for tools to centralize the logging of some 20 odd Linux servers, while this is no endpoint in my research, I “logged” the method I used to setup my test/demo servers using good old rsyslog.

While there are allot possibilities towards logging, I’d like :

  • local + remote logging
    • It would be nice if I could log into one “remote” machine/service and see the log files of all machines I need to “maintain”. However keeping a local log file is also important since not everybody will have access to the central machine logging server/service.
  • KISS
    • As little as possible dependencies, preferably it should run up from a ancient Centos 5 to a bleeding edie nighly Ubuntu virtual machine.  So preferably a default package in the common linux distro’s.
  • little overhead
    • The overhead for client servers should be as small as possible, since they do have a real job beside logging.

Most of these points are checked off when working with rsyslog, so I took that solution out for a spin. With rsyslog we can filter out some irrelevant messages (like DHCP requests), use different logging servers for different levels/labels or service … its pretty powerful and best of all, the package is in Centos by default. 🙂

my "work" servers send their log files to the central Rsyslog server, while keeping a local log file also.

my “work” servers send their log files to the central Rsyslog server, while keeping a local log file also.

Server Setup

This machine is going to be the central logging server. (rsyslog server)

# lets be good to our logging server
yum update -y

# install if not yet here
yum install rsyslog rsyslog-doc

# edit
nano +15 /etc/rsyslog.conf

Replace

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

With
note : this only enables UDP logging, modload imtcp does TCP. I picked UDP since I don’t care for specific order of the log messages, even if a messages get lost now and again that’s ok. 

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

Reload the service and check if it is listening.

# lets load the new config
systemctl restart rsyslog

# or if you are like me and like the good'ol way 
service rsyslog start

# now lets check if our server is listening to the port
netstat -anup | grep 514
udp        0      0 0.0.0.0:514             0.0.0.0:*                           27285/rsyslogd      
udp6       0      0 :::514                  :::*                                27285/rsyslogd     

# or if you also enabled tcp 
netstat -antup | grep 514

Also open ports on the firewall! Example with iptables (restricting on INPUT) :

# don't forget to allow this info in firewall
# example for iptables on UDP
iptables -I INPUT -p udp --dport 514 -j ACCEPT

# for tcp
iptables -I INPUT -p tcp --dport 514 -j ACCEPT

You’re server is ready to start logging more servers, onto the client (server 2) !

Client Setup

# again be good sysadmin
yum update -y

# install if not there
yum install rsyslog rsyslog-doc

# edit the config
nano +92 /etc/rsyslog.conf

# add, this would log everything
# possible you would wanne restrict this a bit 
# see man rsyslog.conf http://linux.die.net/man/5/rsyslog.conf
*.* @SERVER_IP:514

Testing the client setup :

# (optional) check connection
# with tcp this could be used
telnet SERVER_IP 514
Trying SERVER_IP ...
Connected to SERVER_IP.
Escape character is '^]'.

# with udp client side (package used : nmap-ncat, tcpdump)
# on server
tcpdump 'port 514'

# on client
nc -u SERVER_IP 514
some message
some more messages

# After this restart the logger
systemctl restart rsyslog
# or <3
service rsyslog restart

Test

on server :

tail -f /var/log/messages

on client :

logger -t sysadmin good job kid

Thats it, so simple, why did I not find this faster ? Good luck with the logging!

Some more resources :

If you enjoyed this article, please consider buying me a Dr Pepper.
Fuel the beast!

Buy me a Dr PepperBuy me a Dr Pepper


Show Comments (13)
© SvennD