How to configure remote logging on RHEL6/CentOS6
Remote logging is a feature supported by rsyslog, the default syslog daemon in RHEL6 / CentOS 6. Having the local log files stored on a remote system is good practice, as it protects the logs integrity in case of a local attack.
With the default rsyslog RHEL6 configuration it is really easy to enable remote logging, most configuration options are already in place, they just need to be uncommented. Here’s how I did it with 2 hosts:
- the client hostname is rhel6 (192.168.0.101) running RHEL 6.3 –> this host will be configured to send the logs remotely to the server
- the server hostname is centos6 (192.168.0.105) running CentOS 6.4 –> this host will be configured to receive the logs from the client
Client configuration
Open up /etc/rsyslog.conf with your preferred text editor and scroll to the bottom section starting with “begin forwarding rule”. You will see something similar to this:
#$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514
While it is enough to uncomment and configure the last line to define the remote IP address, it is recommended to uncomment all statements to enable additional features:
$WorkDirectory /var/lib/rsyslog $ActionQueueFileName fwdRule1 $ActionQueueMaxDiskSpace 2g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 *.* @@192.168.0.105:514
These features are particularly useful when the remote host is not reachable. By enabling them, rsyslog will create a spool queue on the local system (in /var/lib/rsyslog) and will keep trying to access the remote host until it becomes responsive, at which point it will send out the entire queue. You can alter the configuration above to choose a different path or the maximum disk space to use.
After modifying the file, save it and restart the daemon:
/sbin/service rsyslog restart
Server configuration
Again, open /etc/rsyslog.conf on the receiving host and search for these lines:
# Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
To enable listening to remote hosts, simply uncomment the 2 lines. I also recommend specifying a separate log file for the client host as it is easier to maintain and troubleshoot.
$ModLoad imtcp $InputTCPServerRun 514 :FROMHOST-IP, isequal, "192.168.0.101" /var/log/rhel6.log & ~
The above lines will configure the host to listen for remote logs coming in through port 514 TCP. In addition, all remote logs coming from 192.168.0.101 (which is the client rhel6) will be stored in a separate file (the default is to store all logs, both local and remote, to /var/log/messages).
After modifying the configuration file, save it and restart the daemon as shown above. If there’s a firewall configured on the remote server, modify it to allow incoming TCP connections on port 514 e.g.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
That’s it, hope it helps. Cheers.
Followed your instructions and setup a remote rsyslog server for my Cisco routers and it worked wonderfully on CentOS 6! (except I opted for UDP vs. TCP )
Thank you,
Rob McKennon
Cool, glad it worked ;)
hi, i saw your reply on the forum. you configured UDP. i need to know if there is any firewall rule needed on client side to talk to log server.
hi, i saw your reply on the forum. you configured UDP. i need to know if there is any firewall rule needed on client side to talk to log server.
Hello I have done my configuration on my Vbox system, it worked for server side system but when I go to restart the rsyslog service on my client system i got below error, can someone please help to know exactly what it is with description.
My both client and server is Rhel6 64 bit
[root@server1 ~]# service rsyslog restart
Shutting down system logger: [FAILED]
Starting system logger: usage: rsyslogd [-c] [-46AdnqQvwx] [-l] [-s]
[-f] [-i] [-N] [-M]
[-u]
To run rsyslogd in native mode, use “rsyslogd -c3 ”
For further information see http://www.rsyslog.com/doc
[FAILED]
Did you modify any other files? What is the output of these commands:
also getting logs to servie side
2013-10-11T10:57:57+05:08 server1 kernel: Kernel logging (proc) stopped.
2013-10-11T10:57:57+05:08 server1 rsyslogd: [origin software=”rsyslogd” swVersion=”4.6.2″ x-pid=”2063″ x-info=”http://www.rsyslog.com”] exiting on signal 15.
Hi,
Below is the output of my client system
[root@server1 ~]# rpm -V rsyslog
S.5….T. c /etc/rsyslog.conf
S.5….T. c /etc/sysconfig/rsyslog
[root@server1 ~]#
[root@server1 ~]# grep -v “#” /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS=”-c -r 2″
[root@server1 ~]#
And below is the information about my syslog server
[root@server2 log]# rpm -V rsyslog
S.5….T. c /etc/rsyslog.conf
[root@server2 log]# grep -v “#” /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS=”-c 4″
[root@server2 log]#
Please explain in details
Thanks
Shridhar
rsyslog is very complex, there are many options to configure it as you can find in the documentation. I did the howto based on the default RHEL6/CentOS6 rsyslog configuration and the only changes I made are those described above. As per the output from your client machine, I can see you modified /etc/sysconfig/rsyslog to make the daemon run in compatibility mode. That could explain why the service isn’t starting, so revert back to the default which is:
Hi ,
I resolved my issue with changing below settings from /etc/sysconfig/rsyslog
I changed client side(Server1) system configuration.
SYSLOGD_OPTIONS=”-c -r 2″ to SYSLOGD_OPTIONS=”-c 4″
———————————
Server cionfiguration :
[root@server2 log]# rpm -V rsyslog
S.5….T. c /etc/rsyslog.conf
[root@server2 log]# grep -v “#” /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS=”-c 4″
Client configuration :
[root@server1 ~]# rpm -V rsyslog
S.5….T. c /etc/rsyslog.conf
…….T. c /etc/sysconfig/rsyslog
[root@server1 ~]# grep -v “#” /etc/sysconfig/rsyslog
SYSLOGD_OPTIONS=”-c 4″
————————–
But what makes difference between -c 5 and -c 4 ?
Thank You
Shridhar
“-c” stands for compatibility mode. RHEL6 and CentOS6 ship with rsyslog v5, hence the default compatibility mode in /etc/sysconfig/rsyslog is “-c 5”. There are many changes between v5 and v4 since they are major releases, you can check the project website for details.
Dear admin,
Thx for this useful guide, i’ve been following your guide and it’ work like a charm. I’m using centos 5 as a client, and install rsyslog5 with yum:
# yum install ryslog5, rsyslog5-gnutls
It works perfectly.
But the tiny questions, what if i had multiple client inside network ?
This line:
:FROMHOST-IP, isequal, “192.168.0.101” /var/log/rhel6.log
Can i use that line to serve other client? like this :
:FROMHOST-IP, isequal, “192.168.0.101” /var/log/rhel6.log
:FROMHOST-IP, isequal, “192.168.0.102” /var/log/server2.log
Thx.
@semoetz: Yes, that should work, see more details here and some other filters and compare operations here.
Thx admin,
It works very well on my virtual-lab and i already posted this topic at my own blog with a little changes as my lab goes. :D
Thanks for the post.
I have one question. What if I have thousands log files in the remote servers and they all need to be sent to the central log server. How do I put them in different log files on the central server for the debugging purpose?
Hi,
I tried your instruction but logs are still going to /var/log/messages instead of defined location.
@Rahul: Did you restart rsyslog on the client? Is the server:port reachable? Are there any files in /var/lib/rsyslog?
Thanks, worked fine.