rsyslog_central_loghost
rsyslog - central loghost
- Open tcp and udp port 514. Edit /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
- Reload iptables.
service iptables reload
- Configure SELinux to allow remote logging over tcp.
semanage port -m -t syslogd_port_t -p tcp 514
- Create rsyslog config:
- /etc/rsyslog.conf
# Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf
- /etc/rsyslog.d/1-modules.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on
- /etc/rsyslog.d/2-loghost.conf
# This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,"/var/log/remote/%HOSTNAME%-syslog.log" # Log all messages not from localhost to the dynamically formed file. :fromhost-ip, !isequal, "127.0.0.1" -?FILENAME & ~
- /etc/rsyslog.d/3-local.conf
#### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
- Restart rsyslog service.
service rsyslog restart
rsyslog_central_loghost.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1