http://sharadchhetri.com/2014/03/01/install-and-configure-rsyslog-on-rhel-6-centos-6/
In this tutorial we will learn, how to install and configure rsyslog 7.6 version on RHEL 6.5/CentOS 6.5 .The scenario is,install and setup rsyslog Centralized Logging Server in RHEL/CentOS 6.5. All the logs from client servers will be sent to Centralized logging server i.e rsyslog server.
Check Pre-installed rsyslog package
Step 1: First of all check the rsyslog package is installed in your system.Generally by-default we get rsyslog version 5.x , afterminimal installation of CentOS 6.x / RHEL 6.x
We will install the latest rsyslog package. At the time of writing this post, rsyslog stable version 7.6 was available. You can find the latest package information fromrsyslog official website
Note: By default, RHEL 6.x and CentOS 6.x has rsyslog version 5.x. So here we will update the rsyslog with new version.
You can get the rsyslog version information,by using below given two commands
rpm -qa|grep rsyslog
And
rsyslogd -v
See the below given screenshot
Installing / Updating the rsyslog version 7.6 in RHEL 6.x / CentOS 6.x
For installing rsyslog version 7.6. Create a new yum client repo file and paste the below given contents. (With the same method,you can install other version of rsyslog [information link])
Creating new file /etc/yum.repos.d/rsyslog.repo (You can use your favorite editor )
vi /etc/yum.repos.d/rsyslog.repoPaste the below given contents in file /etc/yum.repos.d/rsyslog.repo (In vi editor, for inserting content pressi key,then paste content in file , for saving press keyesc :wq )
[rsyslog-v7-devel]
name=Adiscon Rsyslog v7-devel for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-devel/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1
[rsyslog-v7-stable]
name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
protect=1For installing the rsyslog,in case the package is not available (rpm -qa|grep rsyslog). Run below given command
|
1
|
yum
install
rsyslog
|
For updating to new rsyslog version, run below given command
|
1
|
yum
update
rsyslog
|
Configure rsyslog in RHEL 6.x / CentOS 6.x
Step 1 : Enable the module.We will uncomment the below given line by removing#
Take the backup of original file
|
1
|
cp
-
pv
/
etc
/
rsyslog
.
conf
/
etc
/
rsyslog
.
conf
.
orig
|
Edit the file /etc/rsyslog.conf
|
1
|
vi
/
etc
/
rsyslog
.
conf
|
Uncomment by removing # in front of these module names
|
1
2
|
module
(
load
=
"imuxsock"
)
# provides support for local system logging (e.g. via logger command)
module
(
load
=
"imklog"
)
# provides kernel logging support (previously done by rklogd)
|
Now, in same file , search for line *.emerg *. Modify the action (i.e *) with:omusrmsg:* . See below given reference
|
1
|
*
.
emerg
:
omusrmsg
:
*
|
Enable UDP port no. 514 for rsyslog .Uncomment below given lines by removing # sign
|
1
2
|
module
(
load
=
"imudp"
)
# needs to be done just once
input
(
type
=
"imudp"
port
=
"514"
)
|
Now, at the end of file /etc/rsyslog.conf, paste the below given code(These are rsyslog templates)
|
1
2
3
4
|
$
template
TmplAuth
,
"/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
$
template
TmplMsg
,
"/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv
.
*
?
TmplAuth
*
.
info
,
mail
.
none
,
authpriv
.
none
,
cron
.
none
?
TmplMsg
|
Now , save and exit from file vi /etc/rsyslog.conf
Below given is the reference from our Server,after editing /etc/rsyslog.conf, it looks as given below (verify your file with below given reference)
Here, egrep -v '^#|^$' command will show only uncommented lines from the file.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[
root
@
localhost
/
]
# egrep -v '^#|^$' /etc/rsyslog.conf -v
module
(
load
=
"imuxsock"
)
# provides support for local system logging (e.g. via logger command)
module
(
load
=
"imklog"
)
# provides kernel logging support (previously done by rklogd)
module
(
load
=
"imudp"
)
# needs to be done just once
input
(
type
=
"imudp"
port
=
"514"
)
$
ActionFileDefaultTemplate
RSYSLOG
_TraditionalFileFormat
$
IncludeConfig
/
etc
/
rsyslog
.
d
/
*
.
conf
*
.
info
;
mail
.
none
;
authpriv
.
none
;
cron
.
none
/
var
/
log
/
messages
authpriv
.
*
/
var
/
log
/
secure
mail
.
*
/
var
/
log
/
maillog
cron
.
*
/
var
/
log
/
cron
*
.
emerg
:
omusrmsg
:
*
uucp
,
news
.
crit
/
var
/
log
/
spooler
local7
.
*
/
var
/
log
/
boot
.
log
$
template
TmplAuth
,
"/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
$
template
TmplMsg
,
"/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv
.
*
?
TmplAuth
*
.
info
,
mail
.
none
,
authpriv
.
none
,
cron
.
none
?
TmplMsg
[
root
@
localhost
/
]
#
|
Step 4: Now edit the file /etc/sysconfig/rsyslog .And set theSYSLOGD_OPTIONS with no parameter
|
1
|
SYSLOGD_OPTIONS
=
""
|
See the below given reference from our Server
|
1
2
3
4
5
6
7
|
[
root
@
localhost
~
]
# cat /etc/sysconfig/rsyslog
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS
=
""
[
root
@
localhost
~
]
#
|
Step 5: Start/Restart the rsyslog service
For starting rsyslog
|
1
|
/
etc
/
init
.
d
/
rsyslog
start
|
For restarting rsyslog
|
1
|
/
etc
/
init
.
d
/
rsyslog
restart
|
[for stoping rsyslog, /etc/init.d/rsyslog stop]
Create new directory in /var/log
Create new directory in /var/log called rsyslog_custom. so that we will keep all Servers log in this directory.
|
1
|
mkdir
-
p
/
var
/
log
/
rsyslog_custom
|
Set SELINUX rules for rsyslog
Some system admin, disable the selinux .
If you want to keep SELINUX enable. Use the below given command
(Read this post,in case semanage command not found)
|
1
2
3
4
5
|
semanage
fcontext
-
a
-
t
syslogd_exec_t
/
sbin
/
rsyslogd
restorecon
/
sbin
/
rsyslogd
/
usr
/
sbin
/
semanage
fcontext
-
a
-
t
var_log
_t
"/var/log/rsyslog_custom(/.*)?"
/
sbin
/
restorecon
-
R
-
v
/
var
/
log
/
rsyslog_custom
|
Set IPTABLES for rsyslog
rsyslog service uses the UDP port number 514 .Hence we will set the iptable only for this port
Edit /etc/sysconfig/iptables
|
1
|
vi
/
etc
/
sysconfig
/
iptables
|
Put the given below RULE always above of any REJECT INPUT rule
|
1
|
-
A
INPUT
-
m
state
--
state
NEW
-
m
udp
-
p
udp
--
dport
514
-
j
ACCEPT
|
Now, save and exit. Restart the iptables service
|
1
|
/
etc
/
init
.
d
/
iptables
restart
|
Use iptables -nL command to check the iptables rule
Restart rsyslog and verify listening status of 514 port
|
1
|
/
etc
/
init
.
rsyslog
restart
|
Check listening status of port 514
|
1
|
netstat
-
uanp
|
grep
rsyslog
|
See below given reference from my server
|
1
2
3
4
|
[
root
@
localhost
~
]
# netstat -uanp|grep rsyslog
udp
0
0
0.0.0.0
:
514
0.0.0.0
:
*
3266
/
rsyslogd
udp
0
0
::
:
514
::
:
*
3266
/
rsyslogd
[
root
@
localhost
~
]
#
|
Configure rsyslog in client servers
To fetch the logs from remote client servers.We will edit the rsyslog.conf file in client machine. The method is applicable to Red Hat based and Debian based Operation system (eg. RHEL,CentOS,Debian,Ubuntu)
Syntax:
*.* @ip-address-of-rsyslog-server:514
Example:
Edit file
|
1
|
vi
/
etc
/
rsyslog
.
conf
|
Paste the below line (replace 192.168.56.102 with your rsyslog server ip address, here 514 is UDP port no.)
|
1
|
*
.
*
@
192.168.56.102
:
514
|
Save and exit from file /etc/rsyslog.conf and restart the rsyslog service
|
1
|
/
etc
/
init
.
d
/
rsyslog
restart
|
Now relogin in Client system so that we will capture the log.And same log information we will see in rsyslog server
Verify the log in rsyslog server
Change to directory /var/log/rsyslog_custom . You must see,a directory with hostname of your client machine. And inside that directory you will see some logs.
|
1
|
cd
/
var
/
log
/
rsyslog_custom
|
Reference from my system (Output will be different in your case)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[
root
@
localhost
~
]
# ls -l /var/log/rsyslog_custom/
total
8
drwx
--
--
--
.
2
root
root
4096
Mar
1
07
:
52
localhost
drwx
--
--
--
.
2
root
root
4096
Mar
1
07
:
47
tuxworld
[
root
@
localhost
~
]
#
[
root
@
localhost
~
]
# ls -l /var/log/rsyslog_custom/tuxworld/
total
32
-
rw
--
--
--
-
.
1
root
root
193
Mar
1
07
:
46
CRON
.
log
-
rw
--
--
--
-
.
1
root
root
619
Mar
1
07
:
47
dbus
.
log
-
rw
--
--
--
-
.
1
root
root
255
Mar
1
07
:
47
dhclient
.
log
-
rw
--
--
--
-
.
1
root
root
0
Mar
1
07
:
46
kernel
.
log
-
rw
--
--
--
-
.
1
root
root
659
Mar
1
07
:
47
NetworkManager
.
log
-
rw
--
--
--
-
.
1
root
root
120
Mar
1
07
:
46
rsyslogd
-
2039.log
-
rw
--
--
--
-
.
1
root
root
149
Mar
1
07
:
46
rsyslogd
.
log
-
rw
--
--
--
-
.
1
root
root
296
Mar
1
07
:
44
sudo
.
log
-
rw
--
--
--
-
.
1
root
root
316
Mar
1
07
:
44
su
.
log
[
root
@
localhost
~
]
#
|
IMPORTANT Note: After setting all things,it is good practice to check/var/log/messages .In case of any rsyslog related error/warning is found
Note: This rsyslog server setup is recommended to use in secure internal network. The rsyslog server should not be publicly exposed.
In case you want to secure the rsyslog server.Use the iptable which only accept logs from your desired particular ip address/ network .
For EXAMPLE Only allow particular ip address to connect withrsyslog server for logging. The client machine has ip address 192.168.56.1 (replace 192.168.56.1 with your client machine ip address [ifconfig])
|
1
2
3
|
vi
/
etc
/
sysconfig
/
iptables
-
A
INPUT
-
m
state
--
state
NEW
-
m
udp
-
p
udp
-
s
192.168.56.1
--
dport
514
-
j
ACCEPT
|
Restart the iptable after this /etc/init.d/iptables restart
For EXAMPLE. Only allow particular NETWORK to connect withrsyslog server for logging. The Network subnet is 10.0.0.0/255.255.255.0 (replace 10.0.0.0/255.255.255.0 from your network information )
|
1
2
3
|
vi
/
etc
/
sysconfig
/
iptables
-
A
INPUT
-
m
state
--
state
NEW
-
m
udp
-
p
udp
-
s
10.0.0.0
/
24
--
dport
514
-
j
ACCEPT
|
Restart the iptable /etc/init.d/iptables restart
For further reading : Viewing and Managing Log Files
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
