How to configure remote logging on RHEL6/CentOS6

Author: | Posted in howto 18 Comments

securityRemote logging is a feature supported by rsyslog, the default syslog daemon in RHEL6 / CentOS 6. Having the local log files stored on a remote system is good practice, as it protects the logs integrity in case of a local attack.

With the default rsyslog RHEL6 configuration it is really easy to enable remote logging, most configuration options are already in place, they just need to be uncommented. Here’s how I did it with 2 hosts:

  • the client hostname is rhel6 (192.168.0.101) running RHEL 6.3 –> this host will be configured to send the logs remotely to the server
  • the server hostname is centos6 (192.168.0.105) running CentOS 6.4 –> this host will be configured to receive the logs from the client

 

Client configuration

Open up /etc/rsyslog.conf with your preferred text editor and scroll to the bottom section starting with “begin forwarding rule”. You will see something similar to this:

#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

While it is enough to uncomment and configure the last line to define the remote IP address, it is recommended to uncomment all statements to enable additional features:

$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 2g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@192.168.0.105:514

These features are particularly useful when the remote host is not reachable. By enabling them, rsyslog will create a spool queue on the local system (in /var/lib/rsyslog) and will keep trying to access the remote host until it becomes responsive, at which point it will send out the entire queue. You can alter the configuration above to choose a different path or the maximum disk space to use.

After modifying the file, save it and restart the daemon:

/sbin/service rsyslog restart

 

Server configuration

Again, open /etc/rsyslog.conf on the receiving host and search for these lines:

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

To enable listening to remote hosts, simply uncomment the 2 lines. I also recommend specifying a separate log file for the client host as it is easier to maintain and troubleshoot.

$ModLoad imtcp
$InputTCPServerRun 514
:FROMHOST-IP, isequal, "192.168.0.101" /var/log/rhel6.log
& ~

The above lines will configure the host to listen for remote logs coming in through port 514 TCP. In addition, all remote logs coming from 192.168.0.101 (which is the client rhel6) will be stored in a separate file (the default is to store all logs, both local and remote, to /var/log/messages).

After modifying the configuration file, save it and restart the daemon as shown above. If there’s a firewall configured on the remote server, modify it to allow incoming TCP connections on port 514 e.g.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT

That’s it, hope it helps. Cheers.

 

Comments
  1. Posted by Rob McKennon
    • Posted by admin
      • Posted by noor
    • Posted by noor
  2. Posted by Shridhar
    • Posted by admin
  3. Posted by Shridhar
  4. Posted by shridhar
    • Posted by admin
  5. Posted by shridhar
    • Posted by admin
  6. Posted by semoetz
    • Posted by admin
  7. Posted by semoetz
  8. Posted by Emily
  9. Posted by Rahul
    • Posted by admin
  10. Posted by linuxman1

Add Your Comment