MyLinuxTips

Objective

The objective of this tutorial is to configure a remote centralized log server using rsyslog. RsysLog server runs on both TCP as well as UDP port 514. But this tutorial is using UDP port. This setup is tested on CentOS 6 server & client machines.

Server Side Configuration

• Install rsyslog package

    
  yum install rsyslog

• Add following directives in /etc/rsyslog.conf

     
  # provides support for local system logging
  $ModLoad imuxsock 
  # provides kernel logging support (previously done by rklogd)
  $ModLoad imklog
  # provides UDP syslog reception. For TCP, load imtcp.
  $ModLoad imudp
  #For TCP, InputServerRun 514
  $UDPServerRun 514
  # This one is the template to generate the log filename dynamically, depending on the client's IP address.
  $template FILENAME,"/var/log/%fromhost-ip%/syslog.log" 
  # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate     directory which is formed by the template FILENAME.
  *.* ?FILENAME
  Save & exit from the file.

• Replace the following directive in /etc/sysconfig/rsyslog

  SYSLOGD_OPTIONS="-c 5" 
  with
  SYSLOGD_OPTIONS="-r514 -m 0" 
  This directive tells that server will communicate through port 514.
  Save & exit from the file.

• Now Restart rsyslog service

  service rsyslog restart

Client side Configuration

• Install rsyslog package

  yum install rsyslog

• Add following directives in /etc/rsyslog.conf

  # provides support for local system logging
  $ModLoad imuxsock 
  # provides kernel logging support (previously done by rklogd)
  $ModLoad imklog
  # Provides UDP forwarding. The IP is the server's IP address
  *.* @192.168.1.1:514 
  # Provides TCP forwarding. But the current server runs on UDP
  # *.* @@192.168.1.1:514

• Now all your logs will be sent to 192.168.1.1 server at default location /var/log/IP-Address directory