{{tag>[linux syslog rsyslog loghost centos]}}
~~NOTOC~~

=====rsyslog - central loghost=====
  * Open tcp and udp port 514. Edit **/etc/sysconfig/iptables** <code>-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT</code>
  * Reload iptables. <code>service iptables reload</code>
  * Configure SELinux to allow remote logging over tcp. <code>semanage port -m -t syslogd_port_t -p tcp 514</code>
  * Create rsyslog config:
    * **/etc/rsyslog.conf** <code># Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf</code>
    * /etc/rsyslog.d/1-modules.conf <code>$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on</code>
    * /etc/rsyslog.d/2-loghost.conf <code># This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/remote/%HOSTNAME%-syslog.log"

# Log all messages not from localhost to the dynamically formed file.
:fromhost-ip, !isequal, "127.0.0.1" -?FILENAME
& ~</code>
    * /etc/rsyslog.d/3-local.conf <code>#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log</code>
  * Restart rsyslog service. <code>service rsyslog restart</code>