Introduction
A Linux host running rsyslog can send all or individual logs to another rsyslog host over a TCP or UDP connection. This is necessary to preserve the integrity of the log files if the host is ever compromised or provide a centralized location for managing the log files.
Requirements
- Red Hat Enterprise Linux (RHEL) or Debian based distributions (CentOS, Fedora, Ubuntu, etc)
- Logging server node
- Logging client node
Install Rsyslog
Rsyslog will already likely be installed on most popular distributions. In the event rsyslog is missing, it can be install with YUM on CentOS and RHEL.
yum -y install rsyslog
Or rsyslog can be installed on Ubuntu or Debian with apt-get
.
apt-get -y install rsyslog
Configure Logging Server
First log into the rsyslog host that will receiving the logs. Edit the /etc/rsyslog.conf
file and uncomment the two lines relating to the TCP module.
$ModLoad imtcp
$InputTCPServerRun 514
The rsyslog service will need to be restarted for the change to take affect.
service rsyslog restart
Add Server Firewall Rule
The local firewall must include a rule to allow incoming TCP traffic on port 514.
On CentOS 7 and RHEL 7 based distributions:
firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload
CentOS 6 and RHEL 6 based distributions:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
service iptables save
Ubuntu and Debian based distributions:
ufw allow 514/tcp
Configure Logging Client
Next log into the rsyslog client host sending the logs and create a /etc/rsyslog.d/loghost.conf
file with the following line. Replace loghost in the example with a resolvable hostname or IP address of remote logging server.
*.* @@loghost:514
Here is a breakdown of the above remote logging syntax:
*.*
– Matches all logging facilities and priorities.@@
– Specifies that TCP is used for transferring the logs while a single@
will use UDP.localhost
– A resolvable hostname or IP address of the destination log host.514
– The TCP port of the destination log host.
Note: The rsyslog server firewall rule will need to be adjusted if using UDP for transferring the log data.
The following example will send only authentication entries and mail errors to the remote logging server.
authpriv.* @@loghost:514
mail.err @@loghost:514
Restart the rsyslog service to begin sending the logs the remote host.
service rsyslog restart
Search Remote Log File
The client hostname will appear for each log entry on the remote logging server. If the client is named node1, then you can search the log file for entries from only that host.
grep node1 /var/log/messages
Feb 16 07:48:35 node1 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="349" x-info="http://www.rsyslog.com"] start
Views: 26