Configure Remote Logging with Rsyslog

  Uncategorized

Introduction

A Linux host running rsyslog can send all or individual logs to another rsyslog host over a TCP or UDP connection. This is necessary to preserve the integrity of the log files if the host is ever compromised or provide a centralized location for managing the log files.

Requirements

  • Red Hat Enterprise Linux (RHEL) or Debian based distributions (CentOS, Fedora, Ubuntu, etc)
  • Logging server node
  • Logging client node

Install Rsyslog

Rsyslog will already likely be installed on most popular distributions. In the event rsyslog is missing, it can be install with YUM on CentOS and RHEL.

yum -y install rsyslog

Or rsyslog can be installed on Ubuntu or Debian with apt-get.

apt-get -y install rsyslog

Configure Logging Server

First log into the rsyslog host that will receiving the logs. Edit the /etc/rsyslog.conf file and uncomment the two lines relating to the TCP module.

$ModLoad imtcp
$InputTCPServerRun 514

The rsyslog service will need to be restarted for the change to take affect.

service rsyslog restart

Add Server Firewall Rule

The local firewall must include a rule to allow incoming TCP traffic on port 514.

On CentOS 7 and RHEL 7 based distributions:

firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload

CentOS 6 and RHEL 6 based distributions:

iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
service iptables save

Ubuntu and Debian based distributions:

ufw allow 514/tcp

Configure Logging Client

Next log into the rsyslog client host sending the logs and create a /etc/rsyslog.d/loghost.conf file with the following line. Replace loghost in the example with a resolvable hostname or IP address of remote logging server.

*.* @@loghost:514

Here is a breakdown of the above remote logging syntax:

  • *.* – Matches all logging facilities and priorities.
  • @@ – Specifies that TCP is used for transferring the logs while a single @ will use UDP.
  • localhost – A resolvable hostname or IP address of the destination log host.
  • 514 – The TCP port of the destination log host.

Note: The rsyslog server firewall rule will need to be adjusted if using UDP for transferring the log data.

The following example will send only authentication entries and mail errors to the remote logging server.

authpriv.* @@loghost:514
mail.err   @@loghost:514

Restart the rsyslog service to begin sending the logs the remote host.

service rsyslog restart

Search Remote Log File

The client hostname will appear for each log entry on the remote logging server. If the client is named node1, then you can search the log file for entries from only that host.

grep node1 /var/log/messages
Feb 16 07:48:35 node1 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="349" x-info="http://www.rsyslog.com"] start

Views: 25

LEAVE A COMMENT

What is the capital of Egypt? ( Cairo )