How to configure syslog Log Server in Linux and Log Files

byJay -
syslog Log Server

1. What is log server?

A logserver represents acentral logmonitoring pointon anetwork, to which all kinds of devices including Linux or Windows servers, routers, switchesor anyother hosts cansendtheir logsover network. Bysetting up a log server,you can filter andconsolidatelogs from different hosts and devices into a single location, so thatyou can view and archiveimportant logmessages more easily.

On most Linux distributions, rsyslog is the standard syslog daemon that comes pre-installed. Configured in a client/server architecture, rsyslog can play both roles; as a syslog server rsyslog can gather logs from other devices, and as a syslog client, rsyslog can transmit its internal logs to a remote syslog server.

{getToc} $title={Table of Contents}

When logs are collected with syslogmechanism, three important things mustbetaken intoconsideration:

● Facility level: what type of processes to monitor

● Severity (priority) level: what type of log messages to collect

● Destination: where to send or record log messages

2. What is the profile of log server?

This is also called as rsyslog server. The requirements are given below.

(i) Package : rsyslog*

(ii) Deamon : rsyslog

(iii) Port No. : 514

(iv). Configuration file : /etc/rsyslog.conf

3. How to configure the log server?

(i) Install rsyslog package by command. 

# yum install rsyslog* -y

(ii) Open the log server configuration and file and edit as per requirements.

# vim /etc/rsyslog.conf

Goto line no. : 15 &16 and uncommenton those lines. (save and exit this file)

(iii) Enable the server to start at boot and restart the logserver deamon.

In RHEL 6
    # service rsyslog restart
    # chkconfig rsyslog on
    
In RHEL 7
    # systemctl restart rsyslog 
    # systemctl enable rsyslog

(iv) Verify whether the log server is listening or not. 

# netstat -ntulp | grep 514

(v) Add the log server service to IPtables.

In RHEL 6

Add the incoming TCP port no. to Iptables in RHEL - 6

# iptables -A INPUT -p tcp -m tcp --deport 514 -j ACCEPT

Add the incoming UDP port no. to Iptables in RHEL - 6

# iptables -A INPUT -p udp -m udp --deport 514 -j ACCEPT

Add the outgoing port no. to Iptables in RHEL - 6 

# iptables -A OUTPUT -p tcp -m tcp --deport 514 -j ACCEPT

Add the outgoing port no. to Iptables in RHEL - 6

# iptables -A OUTPUT -p udp -m udp --deport 514 -j ACCEPT
In RHEL 7 and RHEL 8

Add the 514 tcp port no. to the firewall

# firewall-cmd --permanent -add-port=514/tcp

Add the 514 udp port no. to the firewall

# firewall-cmd --permanent -add-port=514/udp

Reload the firewall configuration

# firewall-cmd --complete-reload (

4. How to configure the client system to send log messages to the log server?

(i) Open the log server configuration file by command. 

# vim /etc/rsyslog.conf

(ii) Goto line no. 90 and type as below.

*.*@<log server IP address> : 514

Example : *.* @172.25.9.11:514 (save and exit this file)

(iii) Restart the log server deamons in RHEL - 6 and RHEL -7 RHEL 8.

In RHEL 6 
# service rsyslog restart
# chkconfig rsyslog on
In RHEL 7 and RHEL 8 
# systemctl restart rsyslog
        # systemctl enable rsyslog

* Then all the log messages are stored in /var/log/secure location.

* To monitor all the messages on the server by command. 

# tailf /var/log/secure

*Open the /etc/rsyslog.conf file and type as below to store all the client's log messages in remote log server only. 

# vim /etc/rsyslog.conf
	
    *.* /var/log/secure
    
    (save and exit this file)

* Then restart the log server deamons in RHEL - 6 and RHEL -7.

In RHEL 6 
# service rsyslog restart
In RHEL 7 and RHEL 8 
# systemctl restart rsyslog

5. What is log file?

Log file is file that contains messages about that system, including the kernel,services and applications running on it, .... etc., There are different log files for different information. These files arevery useful when trying to troubleshoot a problem with systems.

Almost all log messages are stored in /var/log directory. Only root user can read these log messages. We can use less or more commands to read these log files. The messages will be generated only when rsyslog service is running, otherwise the log messages will not be generated.

The different types of log files and their locations:

/var/log/messages -----> System and general messages and DHCP log messages.

/var/log/authlog -----> Authentication log messages.

/var/log/secure -----> Security and authentication and user log messages.

/var/log/maillog -----> Mail server log messages.

/var/log/cron -----> Cron jobs log messages.

/var/log/boot.log -----> All booting log messages.

/var/log/httpd -----> All Apache web server log messages.

/var/log/mysqld.log -----> Mysql database server log messages.

/var/log/utmp or /var/log/wtmp -----> All the user's login messages.

/var/log/Qmail -----> Qmail log messages.

/var/log/kernel.log -----> All kernel related log messages.

/var/log/samba -----> All samba server log messages.

/var/log/anakonda.log -----> Linux installation log messages.

/var/log/lastlog -----> Recent login information for all users.

/var/log/yum.log -----> All package installation log messages generated by # yum or # rpm commands.

/var/log/cups -----> All printer and printing related log messages.

/var/log/ntpstat -----> All ntp server and services log messages.

/var/log/spooler -----> Mail, printer and cron jobs spooling messages.

/var/log/sssd -----> System security service deamon log messages.

/var/log/audit.log -----> SELinux log messages.

Some Useful command to check the logs

To see the log messages of the /var/log/lastlog log file 

# lastlog

To see the boot log messages

# dmesg

To check or watch the log files continuously

# tailf or # tail -f /var/log/secure

We can change the log messages default destinations

# vim /etc/rsyslog.conf

  • Whenever we change the contents of the /etc/rsyslog.conf file, then we have to restart the rsyslog service.

  • There are 7 types of priority messages. We can change the default destination of those log files. For that open rsyslog server configuration file and we have enter the rules as follows.

    • # vim /etc/rsyslog.conf 
    
    <priority type> . <priority name> <new destination of the log files > (save and exit this file)

    To send that text into /var/log/messages files and to test whether logging service is running or not) 

    # logger <type any text>

    To create the log files with date wise

    # logrotate

  • Generally in log messages the fields are,

    • Date & Time : From which system : command name or change : Execution of the command

    To install the tmpwatch package to execute the below command

    # yum install tmpwatch -y

    To monitor the /tmp directory

    # tmpwatch

    To monitor the log messages

    # logwatch

    To install the watch package to execute the below command 

    # yum install watch -y

    To watch the specified command results continuously

    # watch <command>

    To give the permissions to the directory while creating that director

    # mkdir mode=755 /ram

    To tracks all the log files between two different timings and save by default in /run/log location

    # journalctl

  • /run/log is mounted on tmpfs file system ie., if the system is rebooted the whole information in that location will be deleted or erased.

    • Tags

    Jay

    I love keeping up with the latest tech trends and emerging technologies like Linux, Azure, AWS, GCP, and other cutting-edge systems. With experience working with various technology tools and platforms, I enjoy sharing my knowledge through writing. I have a talent for simplifying complex technical concepts to make my articles accessible to all readers. Always looking for fresh ideas, I enjoy the challenge of presenting technical information in engaging ways. My ultimate aim is to help readers stay informed and empowered on their tech journeys.

    You might like

    View all

    Post a Comment

    Previous Post Next Post

    Contact Form