Ben's notes

Linux, Unix, network, radio...

User Tools

Site Tools


rsyslog_central_loghost

rsyslog - central loghost

  • Open tcp and udp port 514. Edit /etc/sysconfig/iptables
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
    -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
  • Reload iptables.
    service iptables reload
  • Configure SELinux to allow remote logging over tcp.
    semanage port -m -t syslogd_port_t -p tcp 514
  • Create rsyslog config:
    • /etc/rsyslog.conf
      # Include all config files in /etc/rsyslog.d/
      $IncludeConfig /etc/rsyslog.d/*.conf
    • /etc/rsyslog.d/1-modules.conf
      $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
      $ModLoad imklog   # provides kernel logging support (previously done by rklogd)
      #$ModLoad immark  # provides --MARK-- message capability
      
      # Provides UDP syslog reception
      $ModLoad imudp
      $UDPServerRun 514
      
      # Provides TCP syslog reception
      $ModLoad imtcp
      $InputTCPServerRun 514
      
      #### GLOBAL DIRECTIVES ####
      
      # Use default timestamp format
      $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
      
      # File syncing capability is disabled by default. This feature is usually not required,
      # not useful and an extreme performance hit
      #$ActionFileEnableSync on
    • /etc/rsyslog.d/2-loghost.conf
      # This one is the template to generate the log filename dynamically, depending on the client's IP address.
      $template FILENAME,"/var/log/remote/%HOSTNAME%-syslog.log"
      
      # Log all messages not from localhost to the dynamically formed file.
      :fromhost-ip, !isequal, "127.0.0.1" -?FILENAME
      & ~
    • /etc/rsyslog.d/3-local.conf
      #### RULES ####
      
      # Log all kernel messages to the console.
      # Logging much else clutters up the screen.
      #kern.*                                                 /dev/console
      
      # Log anything (except mail) of level info or higher.
      # Don't log private authentication messages!
      *.info;mail.none;authpriv.none;cron.none                /var/log/messages
      
      # The authpriv file has restricted access.
      authpriv.*                                              /var/log/secure
      
      # Log all the mail messages in one place.
      mail.*                                                  -/var/log/maillog
      
      
      # Log cron stuff
      cron.*                                                  /var/log/cron
      
      # Everybody gets emergency messages
      *.emerg                                                 *
      
      # Save news errors of level crit and higher in a special file.
      uucp,news.crit                                          /var/log/spooler
      
      # Save boot messages also to boot.log
      local7.*                                                /var/log/boot.log
  • Restart rsyslog service.
    service rsyslog restart
rsyslog_central_loghost.txt · Last modified: 2021/10/09 15:14 by 127.0.0.1