Install and configure rsyslog Centralized logging server in CentOS

-

 Install and configure rsyslog Centralized logging server in CentOS 6.5


In this tutorial we will learn, how to install and configure rsyslog 7.6 version on RHEL 6.5/CentOS 6.5 .The scenario is, install and setup rsyslog Centralized Logging Server in RHEL/CentOS 6.5. All the logs from client servers will be sent to Centralized logging server i.e rsyslog server.
Check Pre-installed rsyslog package
Step 1: First of all check the rsyslog package is installed in your system.Generally by-default we get rsyslog version 5.x , after minimal installation of CentOS 6.x / RHEL 6.x
We will install the latest rsyslog package. At the time of writing this post, rsyslog stable version 7.6 was available. You can find the latest package information from rsyslog official website
Note: By default, RHEL 6.x and CentOS 6.x has rsyslog version 5.x. So here we will update the rsyslog with new version.
You can get the rsyslog version information, by using below given two commands
rpm -qa|grep rsyslog
And
rsyslogd -v
See the below given screenshot
rsyslog version 7
Installing / updating the rsyslog version 7.6 in RHEL 6.x / CentOS 6.x
For installing rsyslog version 7.6. Create a new yum client repo file and paste the below given contents. (With the same method, you can install other version of rsyslog [information link])
Creating new file /etc/yum.repos.d/rsyslog.repo (You can use your favorite editor)
[root@server ~]# vi /etc/yum.repos.d/rsyslog.repo
Paste the below given contents in file /etc/yum.repos.d/rsyslog.repo (In vi editor, for inserting content press  key, then paste content in file , for saving press key esc :wq )
[rsyslog-v7-devel]
name=Adiscon Rsyslog v7-devel for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-devel/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1
[rsyslog-v7-stable]
name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
protect=1
For installing the rsyslog,in case the package is not available (rpm -qa|grep rsyslog). Run below given command
[root@server ~]# yum update rsyslog
Un comment the following to enable the syslog server to listen on the tcp and udp port.
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done by rklogd)
#module(load"immark")  # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
############################
$template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
$template RemoteLogs,"/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log" *
$template TmplMsg, "/var/log/HOSTS/%HOSTNAME%/%PROGRAMNAME%.log"
*.*  ?RemoteLogs
#& ~
#### GLOBAL DIRECTIVES ####
Step 4: Now edit the file /etc/sysconfig/rsyslog .And set the SYSLOGD_OPTIONS with no parameter
 SYSLOGD_OPTIONS=""
See the below given reference from our Server
 [root@localhost ~]# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=""
[root@localhost ~]#
Step 5: Start/Restart the rsyslog service
For starting rsyslog  /etc/init.d/rsyslog start
For restarting rsyslog
 /etc/init.d/rsyslog restart
 Set SELINUX rules for rsyslog
Some system admin, disable the selinux .
If you want to keep SELINUX enable. Use the below given command
(Read this post,in case semanage command not found)
semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd
restorecon /sbin/rsyslogd
/usr/sbin/semanage fcontext -a -t var_log_t "/var/log/rsyslog_custom(/.*)?"
/sbin/restorecon -R -v /var/log/rsyslog_custom
Set IPTABLES for rsyslog
rsyslog service uses the UDP port number 514 .Hence we will set the iptable only for this port
Edit /etc/sysconfig/iptables
vi /etc/sysconfig/iptables
Put the given below RULE always above of any REJECT INPUT rule
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Now, save and exit. Restart the iptables service

/etc/init.d/iptables restart
Use iptables -nL command to check the iptables rule

Step Two: Configure Rsyslog Daemon as a Client
The next step is to transform your CentOS machine into a rsyslog client which sends all of its internal log messages to the central remote log server.

To do so, open the main rsyslog configuration file located in /etc path with your favorite text editor:

# nano /etc/rsyslog.conf
After the file is opened for editing, you need to add the following statement at the bottom of the file. Replace the IP address with your remote rsyslog server's IP address.

*.*  @192.168.1.25:514
The above statement tells rsyslog daemon to route every log message from every facility on the system to the remote rsyslog server (192.168.1.25) on UDP port 514.

If for some reasons you need a more reliable protocol like TCP, and the rsyslog server is configured to listen for TCP connections, you must add an extra @ character in front of the remote host's IP address as in the below excerpt:

*.*  @@192.168.1.25:514
Note that you can also replace the IP address of the rsyslog server with its DNS name (FQDN).

Comments

Post a Comment

Popular Posts

How to fix postfix/smtp Network is unreachable error

-
While configuration postfix authentication getting the error status=deferred (delivery temporarily suspended: connect to smtp.office365.com[2603:1026:3:ca::2]:587: Network is unreachable) its because of you were not using IPv6/ wrong settings for ipv6. You can either use IPv4, or correct your IPv6 settings. [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      3956/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd [root@mailserver postfix]# vi /etc/postfix/main.cf [root@mailserver postfix]# systemctl restart postfix [root@mailserver postfix]# netstat -nutlap | grep 25 tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      4079/master tcp        0      0 127.0.0.1:38442         127.0.0.1:3306          ESTABLISHED 2596/httpd tcp6       0      0 :::25                   :::*                    LISTEN      407
Read more

Could not join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

-
Couldn't join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli root@HPUX:~# realm join --user=domainuser@windows.local  windows.local -v  * Resolving: _ldap._tcp.windows.local  * Resolving: windows.local  * Performing LDAP DSE lookup on: 192.168.20.24  * Successfully discovered: windows.local Password for domainuser@windows.local:  * Unconditionally checking packages  * Resolving required packages  ! Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli realm: Couldn't join realm: Necessary packages are not installed: root@HPUX:~# apt-get install sssd-tools sssd libnss-sss libpam-sss adcli Reading package lists... Done Building dependency tree Reading state information... Done adcli is already the newest version (0.8.1-1). libnss-sss is already the newest version (1.13.4-1ubuntu1.7). libpam-sss is already the newest version (1.13.4-1ubuntu1.7). sssd is already the newest version (1.13.4-1u
Read more