Wednesday, 18 December 2013

rsyslog remote log CentOS

In case that you want to collect system logs from remote server to your local server this is the procedure.
I used CentOS 6.3 with rsyslog service running for log creation. Rsyslog version is rsyslog-5.8.10-7.

Idea is to sent logs from remote server to one central log server. On this central server you can install some application that is specialised for log processing(we use LogAnalyzer for this) or just to have all remote server logs in one place.

On remote server side vi have to change file /etc/rsyslog.conf. At the end of file you have explanation for forwarding rules. Communication between remote and central server is going trough TCP port 514 or UDP port 514. It is up to you to decide which one to use. In case that you use TCP 514 you should add to /etc/rsyslog.conf file this line:

*.*   @@ 

This means
*.* -send all logs. If you want for example to send only secure log then this would be secure.*
@ @- use TCP IP address of cental log server
514-use port 514

In case that you use UDP 514 then you should add this line:

*.*  @

 Only difference is in monkey sign. For UDP you use one monkey. For TCP you should use two monkey signs.

Restart rsyslog service.

/etc/init.d/rsyslog restart

On central log server in file /etc/sysconfig/rsyslog you have options for rsyslog service. Default options are:


To enable rsyslog service to receive logs from remote servers your settings should be like this:


In file /etc/rsyslog.conf uncomment these setting depending if you want to use UDP or TCP for communication.

#$ModLoad imudp
#$UDPServerRun 514

#$ModLoad imtcp
#$InputTCPServerRun 514

Now add settings for remote host
:FROMHOST-IP, isequal, "" /var/log/messages-remote

where IP address of remote server from which we receive logs
/var/log/messages-remote - file in which logs from remote server will be stored

Restart rsyslog service.

Check if anything is listening on port 514.

# netstat -na |grep 514

udp        0      0       *
udp        0      0 :::514                      :::*

So rsyslog service is listening on udp 514.

Check if you have anything in /var/log/messages-remote.

#tail -f  /var/log/messages-remote

On remote server do something that will trigger logs to generate (wrong password, rsyslog restart,etc.). If everything is OK you should have new entry in /var/log/messages-remote.

In case that you don't have anything in messages-remote, check your iptables, check if you are communicating through right protocol, did you restart rsyslog service,etc.

No comments: