In case that you want to collect system logs from remote server to your local server this is the procedure.
I used CentOS 6.3 with rsyslog service running for log creation. Rsyslog version is rsyslog-5.8.10-7.
Idea is to sent logs from remote server to one central log server. On this central server you can install some application that is specialised for log processing(we use LogAnalyzer for this) or just to have all remote server logs in one place.
On remote server side vi have to change file /etc/rsyslog.conf. At the end of file you have explanation for forwarding rules. Communication between remote and central server is going trough TCP port 514 or UDP port 514. It is up to you to decide which one to use. In case that you use TCP 514 you should add to /etc/rsyslog.conf file this line:
*.* @@192.168.1.2:514
This means
*.* -send all logs. If you want for example to send only secure log then this would be secure.*
@ @- use TCP
192.168.1.2- IP address of cental log server
514-use port 514
In case that you use UDP 514 then you should add this line:
*.* @192.168.1.2:514
Only difference is in monkey sign. For UDP you use one monkey. For TCP you should use two monkey signs.
Restart rsyslog service.
/etc/init.d/rsyslog restart
On central log server in file /etc/sysconfig/rsyslog you have options for rsyslog service. Default options are:
SYSLOGD_OPTIONS="-c 5 "
To enable rsyslog service to receive logs from remote servers your settings should be like this:
SYSLOGD_OPTIONS="-c 2 -r"
In file /etc/rsyslog.conf uncomment these setting depending if you want to use UDP or TCP for communication.
UDP:
#$ModLoad imudp
#$UDPServerRun 514
TCP:
#$ModLoad imtcp
#$InputTCPServerRun 514
Now add settings for remote host
:FROMHOST-IP, isequal, "192.168.1.3" /var/log/messages-remote
where
192.168.1.3- IP address of remote server from which we receive logs
/var/log/messages-remote - file in which logs from remote server will be stored
Restart rsyslog service.
Check if anything is listening on port 514.
# netstat -na |grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 :::514 :::*
So rsyslog service is listening on udp 514.
Check if you have anything in /var/log/messages-remote.
#tail -f /var/log/messages-remote
On remote server do something that will trigger logs to generate (wrong password, rsyslog restart,etc.). If everything is OK you should have new entry in /var/log/messages-remote.
In case that you don't have anything in messages-remote, check your iptables, check if you are communicating through right protocol, did you restart rsyslog service,etc.
I used CentOS 6.3 with rsyslog service running for log creation. Rsyslog version is rsyslog-5.8.10-7.
Idea is to sent logs from remote server to one central log server. On this central server you can install some application that is specialised for log processing(we use LogAnalyzer for this) or just to have all remote server logs in one place.
On remote server side vi have to change file /etc/rsyslog.conf. At the end of file you have explanation for forwarding rules. Communication between remote and central server is going trough TCP port 514 or UDP port 514. It is up to you to decide which one to use. In case that you use TCP 514 you should add to /etc/rsyslog.conf file this line:
*.* @@192.168.1.2:514
This means
*.* -send all logs. If you want for example to send only secure log then this would be secure.*
@ @- use TCP
192.168.1.2- IP address of cental log server
514-use port 514
In case that you use UDP 514 then you should add this line:
*.* @192.168.1.2:514
Only difference is in monkey sign. For UDP you use one monkey. For TCP you should use two monkey signs.
Restart rsyslog service.
/etc/init.d/rsyslog restart
On central log server in file /etc/sysconfig/rsyslog you have options for rsyslog service. Default options are:
SYSLOGD_OPTIONS="-c 5 "
To enable rsyslog service to receive logs from remote servers your settings should be like this:
SYSLOGD_OPTIONS="-c 2 -r"
In file /etc/rsyslog.conf uncomment these setting depending if you want to use UDP or TCP for communication.
UDP:
#$ModLoad imudp
#$UDPServerRun 514
TCP:
#$ModLoad imtcp
#$InputTCPServerRun 514
Now add settings for remote host
:FROMHOST-IP, isequal, "192.168.1.3" /var/log/messages-remote
where
192.168.1.3- IP address of remote server from which we receive logs
/var/log/messages-remote - file in which logs from remote server will be stored
Restart rsyslog service.
Check if anything is listening on port 514.
# netstat -na |grep 514
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 :::514 :::*
So rsyslog service is listening on udp 514.
Check if you have anything in /var/log/messages-remote.
#tail -f /var/log/messages-remote
On remote server do something that will trigger logs to generate (wrong password, rsyslog restart,etc.). If everything is OK you should have new entry in /var/log/messages-remote.
In case that you don't have anything in messages-remote, check your iptables, check if you are communicating through right protocol, did you restart rsyslog service,etc.
No comments:
Post a Comment