How to Setup a Centralized Syslog Server in Red Hat Linux

Server logs become essential troubleshooting key points for system administrators when an issue occurs. By default, all the logs on RHEL based servers are stored in /var/log directory.  The syslog daemon can be configured to send logs to a remote Syslog Server that server may be configured to receive logs from other hosts as well.

Storing logs on a centralized location becomes handy when you have hundreds of servers in your organisation.  It also helps in tracing intruders who logged onto a compromised system and deleted the local logs thinking that he/she can get away and won't leave any trace.  It gives system administrators a centralize place to monitor logs for all the servers.

In this article I will configure Rsyslog  on RHEL 6 Server that is  syslog daemon, to receive logs from client machines.  I will also configure a client machine who will push it's logs to this centralized syslog server. Logs can be sent via both TCP and UDP. I will be using UDP in this article.

Before you start, Please make sure that port 514 is allowed on Centralized syslog Server.

Open  /etc/sysconfig/iptables file in a text editor.

Add an INPUT rule allowing  UDP traffic on port 514 to the file. The new rule must appear before any INPUT rules that REJECT traffic.

-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT

Save the changes to the /etc/sysconfig/iptables file and restart the service.

# service iptables restart

Centralized Syslog Server Configuration

Open /etc/rsyslog.conf and uncomment the following line To accept messages using UDP.

$ModLoad imudp
$UDPServerRun 514

Put these lines at the end of the file, rsyslogd will create a folder as client's Hostname in /var/log/ directory for each client monitored.

$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?TmplAuth

Restart rsyslog service

# service rsyslogd restart

Client Configuration

Client machine can be configured to send logs via TCP and UDP, both examples are shown below. The rsyslog server configuration can be done as below.

On the client, open /etc/rsyslog.conf and enter the name:port of the centralized rsyslog server.

*.* @<ip address>:514

Where *.* means all logs, a single "@" means UDP, IP Address or Hostname of the Centralized syslog Server and port No.

If you want to use TCP instead of UDP you can place the following. The only difference is ad extra "@"

*.* @@<ip address>:514

Restart syslog server and you are done.

 # service rsyslogd restart

There will be a folder created in /var/log as client's hostname and all the log files for that host will be pushed there. You can configure log rotate after that to manage log files periodically.

Leave a Comment