Syslog

Instructions for setting up rsyslog server

Run the following commands

yum -y install rsyslog

Edit the rsyslog.conf file

vim /etc/rsyslog.conf

Edit the following lines from

# Provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514

# Provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

This will allow the server to listen on both UDP and TCP connections on port 514.

Add the following lines in order to separate log files by hostname and program.

$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log"

if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth

& ~

if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg

& ~

Restart the service and then check if the server is listening correctly.

systemctl restart rsyslogs

ystemctl enable rsyslog

netstart -antup | grep 514

The above command should return the following

Open up the following firewall ports and restart the service

firewall-cmd --permanent --add-port=514/udp

firewall-cmd --permanent --add-port=514/tcp

firewall-cmd --reload

Edit the rsyslog.conf file

vim /etc/rsyslog.conf

Add the following line to the "##RULES##" section. This command will send all logs to the logging server.

*.* @192.168.1.3:514

If you wish to send log files over TCP instead of UDP. Add another "@" symbol. As shown below

*.* @@192.168.1.3:514

Restart and enable on startup the rsyslog client.

systemctl restart rsyslog

systemctl enable rsyslog

Google Sites

Report abuse