Remote logging is a feature supported by rsyslog, the default syslog daemon in RHEL6 / CentOS 6. Having the local log files stored on a remote system is good practice, as it protects the logs integrity in case of a local attack.
With the default rsyslog RHEL6 configuration it is really easy to enable remote logging, most configuration options are already in place, they just need to be uncommented. Here’s how I did it with 2 hosts:
- the client hostname is rhel6 (192.168.0.101) running RHEL 6.3 –> this host will be configured to send the logs remotely to the server
- the server hostname is centos6 (192.168.0.105) running CentOS 6.4 –> this host will be configured to receive the logs from the client
Open up /etc/rsyslog.conf with your preferred text editor and scroll to the bottom section starting with “begin forwarding rule”. You will see something similar to this:
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
While it is enough to uncomment and configure the last line to define the remote IP address, it is recommended to uncomment all statements to enable additional features:
These features are particularly useful when the remote host is not reachable. By enabling them, rsyslog will create a spool queue on the local system (in /var/lib/rsyslog) and will keep trying to access the remote host until it becomes responsive, at which point it will send out the entire queue. You can alter the configuration above to choose a different path or the maximum disk space to use.
After modifying the file, save it and restart the daemon:
/sbin/service rsyslog restart
Again, open /etc/rsyslog.conf on the receiving host and search for these lines:
# Provides TCP syslog reception
To enable listening to remote hosts, simply uncomment the 2 lines. I also recommend specifying a separate log file for the client host as it is easier to maintain and troubleshoot.
:FROMHOST-IP, isequal, "192.168.0.101" /var/log/rhel6.log
The above lines will configure the host to listen for remote logs coming in through port 514 TCP. In addition, all remote logs coming from 192.168.0.101 (which is the client rhel6) will be stored in a separate file (the default is to store all logs, both local and remote, to /var/log/messages).
After modifying the configuration file, save it and restart the daemon as shown above. If there’s a firewall configured on the remote server, modify it to allow incoming TCP connections on port 514 e.g.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
That’s it, hope it helps. Cheers.