How to configure rsyslog client for remote logging on CentOS
Last updated on October 19, 2020 by Dan Nanni
rsyslog is an open source utility widely used on Linux systems to forward or receive log messages via TCP/UDP protocols. rsyslog daemon can be configured in two scenarios. Configured as a log collector server, rsyslog daemon can gather log data from all other hosts in the network, which are configured to send their internal logs to the server. In another role, rsyslog daemon can be configured as a client which filters and sends internal log messages to either a local folder (e.g. /var/log) or a remote rsyslog server based on routing facility.
Assuming that you already have a rsyslog server up and running on your network, this guide will show you how to set up a CentOS system to route its internal log messages to a remote rsyslog server. This will greatly improve your system's disk usage, especially if you don't have a separate large partition dedicated for /var directory.
Step One: Install rsyslog on CentOS
On CentOS 6 and 7, rsyslog daemon comes preinstalled. To verify that rsyslog is installed on your CentOS system, issue the following command:
# rpm -qa | grep rsyslog # rsyslogd -v
If for some reason rsyslog daemon is missing on your system, issue the following command to install it:
# yum install rsyslog
Step Two: Configure rsyslog as a Syslog Client
rsyslog client which sends all of its internal log messages to the central remote log server.
To do so, open the main rsyslog configuration file located in /etc path with your favorite text editor:
# nano /etc/rsyslog.conf
After the file is opened for editing, you need to add the following statement at the bottom of the file. Replace the IP address with your remote rsyslog server's IP address.
*.* @192.168.1.25:514
The above statement tells rsyslog daemon to route every log message from every facility on the system to the remote rsyslog server (192.168.1.25) on UDP port 514.
If for some reasons you need a more reliable protocol like TCP, and the rsyslog server is configured to listen for TCP connections, you must add an extra @ character in front of the remote host's IP address as in the below excerpt:
*.* @@192.168.1.25:514
Note that you can also replace the IP address of the rsyslog server with its DNS name (FQDN).
If you want to forward log messages from a specific facility only, let's say kernel facility, then you can use the following statement in your rsyslog configuration file.
kern.* @192.168.1.25:514
Once you have modified the configuration, you need to restart the daemon to activate the change:
On CentOS 7 or later:
# systemctl restart rsyslog.service
On CentOS 6 or earlier:
# service rsyslog restart
In another scenario, let's assume that you have installed an application named foobar on your machine, which generates logs to /var/log/foobar.log file. Now you want to direct only its logs to a remote rsyslog server. This can be achieved by loading imfile module in the rsyslog configuration as follows.
First load the imfile module. This must be done just once.
module(load="imfile" PollingInterval="5")
Then specify the path to the log file that the imfile module should monitor:
input(type="imfile"
File="/var/log/foobar.log"
Tag="foobar"
Severity="error"
Facility="local7")
Finally, direct local7 facility to the remote rsyslog server:
local7.* @192.168.1.25:514
Don't forget to restart rsyslog daemon.
Step Three: Enable rsyslog to Auto-start
To automatically start rsyslog client after every system reboot, run the following command to enable it system-wide:
On CentOS 7 or later:
# systemctl enable rsyslog.service
On CentOS 6 or earlier:
# chkconfig rsyslog on
Summary
In this tutorial I demonstrated how to turn a CentOS system into rsyslog client to force it to send its log messages to a remote rsyslog server. Here I assume that the connection between a rsyslog client and rsyslog server is secure (e.g., within corporate network protected by a firewall). Under any circumstances do not configure a rsyslog client to forward log messages over insecure networks or, especially, over the Internet as the syslog protocol is a clear-text protocol. For secure transmission, consider encrypting syslog messages using TLS/SSL.
Support Xmodulo
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean