Posted 07 November, 2015
Today I was searching for tools to centralize the logging of some 20 odd Linux servers, while this is no endpoint in my research, I “logged” the method I used to setup my test/demo servers using good old rsyslog.
While there are allot possibilities towards logging, I’d like :
Most of these points are checked off when working with rsyslog, so I took that solution out for a spin. With rsyslog we can filter out some irrelevant messages (like DHCP requests), use different logging servers for different levels/labels or service … its pretty powerful and best of all, the package is in Centos by default. 🙂
This machine is going to be the central logging server. (rsyslog server)
# lets be good to our logging server yum update -y # install if not yet here yum install rsyslog rsyslog-doc # edit nano +15 /etc/rsyslog.conf
# Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
note : this only enables UDP logging,
modload imtcp does TCP. I picked UDP since I don’t care for specific order of the log messages, even if a messages get lost now and again that’s ok.
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
Reload the service and check if it is listening.
# lets load the new config systemctl restart rsyslog # or if you are like me and like the good'ol way service rsyslog start # now lets check if our server is listening to the port netstat -anup | grep 514 udp 0 0 0.0.0.0:514 0.0.0.0:* 27285/rsyslogd udp6 0 0 :::514 :::* 27285/rsyslogd # or if you also enabled tcp netstat -antup | grep 514
Also open ports on the firewall! Example with iptables (restricting on INPUT) :
# don't forget to allow this info in firewall # example for iptables on UDP iptables -I INPUT -p udp --dport 514 -j ACCEPT # for tcp iptables -I INPUT -p tcp --dport 514 -j ACCEPT
You’re server is ready to start logging more servers, onto the client (server 2) !
# again be good sysadmin yum update -y # install if not there yum install rsyslog rsyslog-doc # edit the config nano +92 /etc/rsyslog.conf # add, this would log everything # possible you would wanne restrict this a bit # see man rsyslog.conf http://linux.die.net/man/5/rsyslog.conf *.* @SERVER_IP:514
Testing the client setup :
# (optional) check connection # with tcp this could be used telnet SERVER_IP 514 Trying SERVER_IP ... Connected to SERVER_IP. Escape character is '^]'. # with udp client side (package used : nmap-ncat, tcpdump) # on server tcpdump 'port 514' # on client nc -u SERVER_IP 514 some message some more messages # After this restart the logger systemctl restart rsyslog # or <3 service rsyslog restart
on server :
tail -f /var/log/messages
on client :
logger -t sysadmin good job kid
Thats it, so simple, why did I not find this faster ? Good luck with the logging!
Some more resources :