Syslog


Instructions for setting up rsyslog server

Run the following commands

yum -y install rsyslog


Edit the rsyslog.conf file

vim /etc/rsyslog.conf


Edit the following lines from 


# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514


To

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


This will allow the server to listen on both UDP and TCP connections on port 514.


Add the following lines in order to separate log files by hostname and program.

$template TempAuth, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log" 
$template TempMsg, "/var/log/infosys/%HOSTNAME%/%PROGRAMNAME%.log" 
if ($fromhost-ip != "127.0.0.1" ) then ?TempAuth 
& ~ 
if ($fromhost-ip != "127.0.0.1" ) then ?TempMsg
& ~


Restart the service and then check if the server is listening correctly.

systemctl restart rsyslogs
ystemctl enable rsyslog
netstart -antup | grep 514


The above command should return the following



Open up the following firewall ports and restart the service


firewall-cmd --permanent --add-port=514/udp
firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --reload


Instructions for setting up rsyslog client

Edit the rsyslog.conf file

vim /etc/rsyslog.conf


Add the following line to the "##RULES##" section. This command will send all logs to the logging server.

*.* @192.168.1.3:514


If you wish to send log files over TCP instead of UDP. Add another "@" symbol. As shown below

*.* @@192.168.1.3:514


Restart and enable on startup the rsyslog client.

systemctl restart rsyslog
systemctl enable rsyslog