Today we will be looking into how to set up centralized log management for the Linux server. This will help the Linux admin to have multiple server logs in a single place. The Linux admin not required to login to each server for checking the logs, he can just log in to the centralized server and start to do the monitoring of the log.
Linux labels (auth, cron, FTP, LPR, authpriv, news, mail, syslog, etc,..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc,..).
You can find more information on Message Labels and Severity Levels
Make sure you have the following to set up a log server.
Two Linux servers ( server and client).
server.itzgeek.local 192.168.0.10
client.itzgeek.local 192.168.0.20
Syslog Server Setup
Install the Rsyslog package, if you do not have it installed.
yum -y install rsyslogEdit the /etc/rsyslog.conf file.
vi /etc/rsyslog.confTCP or UDP
Rsyslog supports both UDP and TCP protocol for receiving logs. TCP protocol provides reliable transmission of logs.
UDP
Uncomment the following to enable the syslog server to listen on the UDP protocol.
FROM:
# Provides UDP syslog reception #$ModLoad imudp #$UDPServerRun 514
TO:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
TCP
Uncomment the following to enable the syslog server to listen on the TCP protocol.
FROM:
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514TO:
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Restart the syslog service
systemctl restart rsyslogVerify the syslog server listening on the port 514.
netstat -antup | grep 514
Output:
udp 0 0 0.0.0.0:514 0.0.0.0:* 1467/rsyslogd
udp6 0 0 :::514 :::* 1467/rsyslogd
Syslog Client Setup
Install the Rsyslog package, if you do not have it installed.
yum -y install rsyslog
Edit the /etc/rsyslog.conf file.
vi /etc/rsyslog.confAt the end of the file place the following line to point the client message log to the server.
UDP
*.info;mail.none;authpriv.none;cron.none @192.168.0.10:514TCP
*.info;mail.none;authpriv.none;cron.none @@192.168.0.10:514
You can use either the hostname or the ip address.
Restart the syslog service
systemctl restart rsyslogNow all the message logs are sent to the central server and also it keeps the copy locally.
Firewall
Mostly all the production environments are protected by a hardware firewall, ask them to open the TCP & UDP 514.
If you have FirewallD enabled, run the following command on a server in order to accept incoming traffic on UDP / TCP port 514.
TCP
firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reloadUDP
firewall-cmd --permanent --add-port=514/udp firewall-cmd --reload
Validate
Goto the syslog server and view the messages log file.
tail -f /var/log/messagesYou should see the client’s logs are being recorded in a syslog server.
Feb 9 04:26:09 client systemd: Stopping System Logging Service...
Feb 9 04:26:09 client rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="910" x-info="https://www.rsyslog.com"] exiting on signal 15.
Feb 9 04:26:09 client systemd: Stopped System Logging Service.
Feb 9 04:26:09 client systemd: Starting System Logging Service...
Feb 9 04:26:09 client rsyslogd: [origin software="rsyslogd" swVersion="8.24.0-41.el7_7.2" x-pid="1546" x-info="https://www.rsyslog.com"] start
Feb 9 04:26:09 client systemd: Started System Logging Service.
In this way, you can monitor the other logs such as secure, mail, cron logs, etc.
Conclusion
That’s All. I hope you successfully set up a centralized syslog server on CentOS 7 / RHEL 7. You can also try open-source log management tools like ELK stack or Graylog for more advanced features such as web interface, correlating log events, etc.