{{tag>[linux syslog rsyslog loghost centos]}}
~~NOTOC~~
=====rsyslog - central loghost=====
* Open tcp and udp port 514. Edit **/etc/sysconfig/iptables** -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
* Reload iptables. service iptables reload
* Configure SELinux to allow remote logging over tcp. semanage port -m -t syslogd_port_t -p tcp 514
* Create rsyslog config:
* **/etc/rsyslog.conf** # Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
* /etc/rsyslog.d/1-modules.conf $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
* /etc/rsyslog.d/2-loghost.conf # This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/remote/%HOSTNAME%-syslog.log"
# Log all messages not from localhost to the dynamically formed file.
:fromhost-ip, !isequal, "127.0.0.1" -?FILENAME
& ~
* /etc/rsyslog.d/3-local.conf #### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
* Restart rsyslog service. service rsyslog restart