Table of Contents
What is log server?
A logserver is a central log monitoring point on a network to which all types of devices, such as Linux or Windows servers, routers, switches, or any other hosts, can transmit their logs. Setting up a log server allows you to filter and aggregate logs from several hosts and devices into a single location, making it easier to read and preserve essential log messages.
The standard syslog daemon that comes pre-installed on most Linux distributions is rsyslog. In a client/server design, rsyslog can fulfill both functions: as a syslog server, it can collect logs from other devices, and as a syslog client, it can send internal logs to a distant syslog server.
When logs are collected with syslogmechanism, three important things mustbetaken intoconsideration:
- Facility level: what type of processes to monitor.
- Severity (priority) level: what type of log messages to collect.
- Destination: where to send or record log messages
What is the profile of log server?
This is also called as rsyslog server. The requirements are given below.
Package : rsyslog*
Deamon : rsyslog
Port No. : 514
Configuration file :/etc/rsyslog.conf
Setting a Centralized Log Server with Rsyslog
(i) Install rsyslog package by command if not installed already.
# dnf install rsyslog* -y
(ii) Verify the installation
[root@TechArticles ~]# rpm -q rsyslog rsyslog-8.2102.0-7.el8.x86_64
(iii) Open the log server configuration and file and edit as per requirements.
# vim /etc/rsyslog.conf
Uncommenton these lines then save and exit this file
module(load="imudp") # needs to be done just once input(type="imudp" port="514")
Please Note: The UDP protocol allows for faster data delivery than the TCP protocol but not reliable.
To configure Rsyslog daemon to bind and listen to a TCP socket on 514 port, uncomment the following lines in the /etc/rsyslog.conf configuration file.
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
(iv) Enable the server to start at boot and restart the logserver deamon.
# systemctl restart rsyslog # systemctl enable rsyslog
(v) Verify whether the log server is listening or not.
# [root@TechArticles ~]# netstat -ntulp | grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2493/rsyslogd tcp6 0 0 :::514 :::* LISTEN 2493/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 2493/rsyslogd udp6 0 0 :::514 :::* 2493/rsyslogd [root@TechArticles ~]#
(v) Now add below lines in the /etc/rsyslog.conf configuration file to create template for receiving remote messages, This will instruct the local Rsyslog server where to save logs received from Syslog clients.
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs
Note: The above parameter will instruct rsyslog server to fetch and write all the received logs based on the remote client application that generated the log.
All logs files received from the remote client will be saved in rsyslog server local fs in /var/log/ directory with the client machine hostname.
(vi) Allow the the log server service on firewall.
Add the 514 tcp port no. to the firewall
# firewall-cmd --permanent --add-port=514/tcp
Add the 514 udp port no. to the firewall
# firewall-cmd --permanent --add-port=514/udp
Reload the firewall configuration
# firewall-cmd --complete-reload
Note: The above command will allow 514 port access for the public. I will suggest adding the rich-rule and permitting access to port 514 to only specific IPs or networks in production environment.
Below commands will help to add rich-rule with specific IPs or Network.
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="xxx.xxx.xxx.0/21" port port="514" protocol="tcp" accept' # firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="xxx.xxx.xxx.xxx/21" port port="514" protocol="udp" accept' # firewall-cmd --reload
After making the above changes, restart the rsyslog service using the following command to apply the latest changes.
# systemctl restart rsyslog
For more complex configuration of rsyslog server please follow the rsyslog documentation.
The server now operates as a centralized log server and records messages from Syslog clients after restarting the rsyslog service.
To confirm the rsyslog running and scoket listning you can run the netstat or ss command with grep to filter the rsyslog.
[root@TechArticles ~]# netstat -tunlp | grep rsyslog tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2493/rsyslogd tcp6 0 0 :::514 :::* LISTEN 2493/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 2493/rsyslogd udp6 0 0 :::514 :::* 2493/rsyslogd [root@TechArticles ~]# OR [root@TechArticles ~]# ss -tunlp| grep rsyslog udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=2493,fd=4)) udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=2493,fd=5)) tcp LISTEN 0 25 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=2493,fd=6)) tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=2493,fd=7)) [root@TechArticles ~]#
If netstat is not install already on the server you can install it by following command.
# dnf install net-tools
That’s all there is to it! Rsyslog is now set up as a centralized log server, allowing it to collect logs from remote clients.
For rsyslog client setup please follow below article:
How to Configure the Rsyslog Client to Send Logs to the Rsyslog Server RHEL 8
==================================================================================
Was this article of use to you? Post your insightful thoughts or recommendations in the comments section if you don’t find this article to be helpful or if you see any outdated information, a problem, or a typo to help this article better.
==================================================================================