Install log in linux

How to Setup Central Logging Server with Rsyslog in Linux

Logs are a critical component of any software or operating system. Logs usually record user’s actions, system events, network activity and so much more, depending on what they are intended for. One of the most widely used logging systems on Linux systems is rsyslog.

Rsyslog is a powerful, secure and high-performance log processing system which accepts data from different types of source (systems/applications) and outputs it into multiple formats.

It has evolved from a regular syslog daemon to a fully-featured, enterprise level logging system. It is designed in a client/server model, therefore it can be configured as a client and/or as a central logging server for other servers, network devices, and remote applications.

Testing Environment

For the purpose of this guide, we will use the following hosts:

How to Install and Configure Rsyslog Server

Most Linux distributions come with the rsyslog package preinstalled. In case it’s not installed, you can install it using your Linux package manager tool as shown.

$ sudo yum update && yum install rsyslog #CentOS 7 $ sudo apt update && apt install rsyslog #Ubuntu 16.04, 18.04

Once rsyslog installed, you need to start the service for now, enable it to auto-start at boot and check it’s status with the systemctl command.

$ sudo systemctl start rsyslog $ sudo systemctl enable rsyslog $ sudo systemctl status rsyslog

The main rsyslog configuration file is located at /etc/rsyslog.conf, which loads modules, defines the global directives, contains rules for processing log messages and it also includes all config files in /etc/rsyslog.d/ for various applications/services.

By default, rsyslog uses the imjournal and imusock modules for importing structured log messages from systemd journal and for accepting syslog messages from applications running on the local system via Unix sockets, respectively.

Rsyslog Modules for Logging

To configure rsyslog as a network/central logging server, you need to set the protocol (either UDP or TCP or both) it will use for remote syslog reception as well as the port it listens on.

If you want to use a UDP connection, which is faster but unreliable, search and uncomment the lines below (replace 514 with the port you want it to listen on, this should match the port address that the clients send messages to, we will look at this more when configuring a rsyslog client).

$ModLoad imudp $UDPServerRun 514

To use TCP connection (which is slower but more reliable), search and uncomment the lines below.

$ModLoad imtcp $InputTCPServerRun 514

In this case, we want to use both UDP and TCP connections at the same time.

Читайте также:  Linux program must have

Configure Rsyslog Logging Server

Next, you need to define the ruleset for processing remote logs in the following format.

facility.severity_level destination (where to store log)
  • facility: is type of process/application generating message, they include auth, cron, daemon, kernel, local0..local7. Using * means all facilities.
  • severity_level: is type of log message: emerg-0, alert-1, crit-2, err-3, warn-4, notice-5, info-6, debug-7. Using * means all severity levels and none implies no severity level.
  • destination: is either local file or remote rsyslog server (defined in the form IP:port).

We will use the following ruleset for collecting logs from remote hosts, using the RemoteLogs template. Note that these rules must come before any rules for processing local messages, as shown in the screenshot.

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs & ~

Define Ruleset for Rsyslog-Logging

Looking at the above ruleset, the first rule is “$template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log””.

The directive $template tells rsyslog daemon to gather and write all of the received remote messages to distinct logs under /var/log, based on the hostname (client machine name) and remote client facility (program/application) that generated the messages as defined by the settings present in the template RemoteLogs.

The second line “*.* ?RemoteLogs” means record messages from all facilities at all severity levels using the RemoteLogs template configuration.

The final line “& ~” instructs rsyslog to stop processing the messages once it is written to a file. If you don’t include “& ~”, messages will instead be be written to the local files.

There are many other templates that you can use, for more information, see the rsyslog configuration man page (man rsyslog.conf) or refer to the Rsyslog online documentation.

That’s it with configuring the rsyslog server. Save and close the configuration file. To apply the recent changes, restart rsyslog daemon with the following command.

$ sudo systemctl restart rsyslog

Now verify the rsyslog network sockets. Use the ss command (or netstat with the same flags) command and pipe the output to grep to filter out rsyslogd connections.

$ sudo ss -tulnp | grep "rsyslog"

Check Rsyslog Network Status

Next, on CentOS 7, if you have SELinux enabled, run the following commands to allow rsyslog traffic based on the network socket type.

$ sudo semanage -a -t syslogd_port_t -p udp 514 $ sudo semanage -a -t syslogd_port_t -p tcp 514

If the system has firewall enabled, you need to open port 514 to allow both UDP/TCP connections to the rsyslog server, by running.

------------- On CentOS ------------- $ sudo firewall-cmd --permanent --add-port=514/udp $ sudo firewall-cmd --permanent --add-port=514/tcp $ sudo firewall-cmd --reload ------------- On Ubuntu ------------- $ sudo ufw allow 514/udp $ sudo ufw allow 514/tcp $ sudo ufw reload

How to Configure Rsyslog Client to Send Logs to Rsyslog Server

Now on the client system, check if the rsyslog service is running or not with the following command.

$ sudo systemctl status rsyslog

If it’s not installed, install it and start the service as shown earlier on.

$ sudo yum update && yum install rsyslog #CentOS 7 $ sudo apt update && apt install rsyslog #Ubuntu 16.04, 18.04 $ sudo systemctl start rsyslog $ sudo systemctl enable rsyslog $ sudo systemctl status rsyslog

Once the rsyslog service is up and running, open the main configuration file where you will perform changes to the default configuration.

Читайте также:  Linux cinnamon внешний вид

To force the rsyslog daemon to act as a log client and forward all locally generated log messages to the remote rsyslog server, add this forwarding rule, at the end of the file as shown in the following screenshot.

Configure Rsyslog Client

The above rule will send messages from all facilities and at all severity levels. To send messages from a specific facility for example auth, use the following rule.

Save the changes and close the configuration file. To apply the above settings, restart the rsyslog daemon.

$ sudo systemctl restart rsyslog

How to Monitor Remote Logging on the Rsyslog Server

The final step is to verify if the rsyslog is actually receiving and logging messages from the client, under /var/log, in the form hostname/programname.log.

Run a ls command to long listing of the parent logs directory and check if there is a directory called ip-172.31.21.58 (or whatever your client machine’s hostname is).

Check Rsyslog Client Logging

If the directory exists, check the log files inside it, by running.

$ sudo ls -l /var/log/ip-172-31-21-58/

Check Rsyslog Client Logs

Summary

Rsyslog is a high-performance log processing system, designed in a client/server architecture. We hope you are able to install and configure Rsyslog as a central/network logging server and as a client as demonstrated in this guide.

You may also want to refer to relevant rsyslog manual pages for more help. Feel free to give us any feedback or ask questions.

Источник

How to install syslog on RHEL 8 / CentOS 8

The syslog functionality is one of the main tools for a sysadmin. While writing logfiles with events of interest is a common feature of any application, having a system-wide logging functionality means all logs can be handled as one on the system. But syslog does not stop there. With these tool, a sysadmin can centralize log processing in the datacenter by forwarding the incoming events from applications to central logservers, where they can be processed at a large scale.

Centralized logging is an overkill on a home system with a few computers, but already have it’s benefits around a dozen machine. For example, a dozen desktops sending all their logfiles to a central logserver mean they don’t need to store them on the long run, the logs will occupy disk space in the logserver. The admin can check for problems in only one place (possibly by means of automated reports), the logs can be preserved in a safe way by the means of backups, stored more effective by means of heavy compressing, and will not be lost on a client’s failure or user error.

Читайте также:  Route delete примеры linux

In this tutorial you will learn:

  • How to install rsyslog package on RHEL 8 / CentOS 8.
  • How to verify successful install.
  • How to start, stop and autostart rsyslog service.
  • How to test syslog functionality with logger.

Status output of rsyslog service with systemctl.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System RHEL 8 / CentOS 8
Software rsyslog 8
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to install syslog on RHEL 8 / CentOS 8 step by step instructions

On RHEL 8 / CentOS 8 rsyslog package should be installed and running by default. There may be cases where you need to install it anyway, for example package broken/deleted, reverting from another syslog service, etc.

    The rsyslog is reachable from the base repositories. You need to have Subscription Management repositories set up and reachable in order to install any packages. With that in place, install is only one dnf command away:

# rpm -q rsyslog rsyslog-8.37.0-6.el8.x86_64
# dnf info rsyslog --verbose [. ] Installed Packages Name : rsyslog Version : 8.37.0 Release : 6.el8 Arch : x86_64 Size : 2.2 M Source : rsyslog-8.37.0-6.el8.src.rpm Repo : @System [. ] Install time : Thu Dec 27 12:24:35 2018 Installed by : [. ]

And lastly, systemd should know about the service (not running), which means the service files are in place:

# systemctl status rsyslog.service ● rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled) Active: inactive (dead) Docs: man:rsyslogd(8) http://www.rsyslog.com/doc/
# systemctl start rsyslog.service
# systemctl stop rsyslog.service

The status showed that the service is enabled on installation, which means it will start automatically on startup of the operating system. We can disable this autostart feature with:

# systemctl disable rsyslog.service
# systemctl enable rsyslog.service
# echo "test message from user root" | logger

And see the message properly shipped into the main syslog file by checking the last lines of /var/log/messages :

# tail /var/log/messages [. ] Dec 27 12:39:46 rhel8 rsyslogd[2636]: [origin software="rsyslogd" swVersion="8.37.0-6.el8" x-pid="2636" x-info="http://www.rsyslog.com"] start Dec 27 12:39:46 rhel8 systemd[1]: Started System Logging Service. Dec 27 12:41:56 rhel8 testuser[2668]: test message from user root

Источник

Оцените статью
Adblock
detector