{"id":278,"date":"2015-09-07T16:16:55","date_gmt":"2015-09-07T16:16:55","guid":{"rendered":"http:\/\/onlinelab.info\/?p=278"},"modified":"2015-09-07T16:16:55","modified_gmt":"2015-09-07T16:16:55","slug":"setup-syslog-server-on-centos-6-rhel-6","status":"publish","type":"post","link":"https:\/\/www.asianux.org.vn\/index.php\/2015\/09\/07\/setup-syslog-server-on-centos-6-rhel-6\/","title":{"rendered":"Setup SysLog Server on CentOS 6 \/ RHEL 6"},"content":{"rendered":"

Today we will be looking into how to setup a centralized log management for Linux servers, this will help the Linux admin to have a multiple server logs into one single place. The Linux admin not required to login in to each servers for checking the logs, he can just login into the centralized server and start do the logs monitoring.<\/p>\n

Linux labels (auth, cron, ftp, lpr, authpriv, news, mail, syslog, etc ,..) the log messages to indicate the type of software that generated the messages with severity (Alert, critical, Warning, Notice, info, etc ,..).<\/p>\n

You can find more information on Message Labels<\/a> and Severity Levels<\/a><\/p>\n

Make sure you have the following to setup log server.<\/p>\n

Two Linux servers ( server and client).<\/p>\n

server.itzgeek.local 192.168.0.105<\/strong><\/p>\n

client.itzgeek.local\u00a0 192.168.0.104<\/strong><\/p>\n

Server setup:<\/strong><\/h3>\n

Install syslog package, if you do not have it installed.<\/p>\n

\n\n\n\n
\n
[root@server ~]# yum -y install rsyslog<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Edit \/etc\/rsyslog.conf<\/p>\n
\n\n\n\n
\n
[root@server ~]# vi \/etc\/rsyslog.conf<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Un comment the following to enable the syslog server to listen on the tcp and udp port.<\/p>\n
From<\/p>\n
\n\n\n\n
\n
# Provides UDP syslog reception\n#$ModLoad imudp\n#$UDPServerRun 514\n\u00a0\n# Provides TCP syslog reception\n#$ModLoad imtcp\n#$InputTCPServerRun 514<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
To<\/p>\n
\n\n\n\n
\n
# Provides UDP syslog reception\n$ModLoad imudp\n$UDPServerRun 514\n\u00a0\n# Provides TCP syslog reception\n$ModLoad imtcp\n$InputTCPServerRun 514<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Restart the syslog service<\/p>\n
\n\n\n\n
\n
[root@server ~]# service rsyslog restart<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Verify the syslog server listening.<\/p>\n
\n\n\n\n
\n
[root@server ~]# netstat -antup | grep 514\n\u00a0\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 0.0.0.0:514\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 8081\/rsyslogd\ntcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 :::514\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :::*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LISTEN\u00a0\u00a0\u00a0\u00a0\u00a0 8081\/rsyslogd\nudp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 0.0.0.0:514\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0.0.0.0:*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 8081\/rsyslogd\nudp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\u00a0\u00a0\u00a0\u00a0\u00a0 0 :::514\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :::*\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 8081\/rsyslogd<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Client setup:<\/strong><\/h3>\n
Edit \/etc\/rsyslog.conf<\/p>\n
\n\n\n\n
\n
[root@client ~]# vi \/etc\/rsyslog.conf<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
At the end of file place the following line to point the client message log to the server<\/p>\n
\n\n\n\n
\n
*.info;mail.none;authpriv.none;cron.none\u00a0\u00a0 @192.168.0.105<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
You can either mention hostname or ip address.<\/p>\n
Restart the syslog service<\/p>\n
\n\n\n\n
\n
[root@client ~]# service rsyslog restart<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Now all the message logs are sent to the central server and also it keeps the copy locally.<\/p>\n
Firewall Port opening (Optional):<\/strong><\/h3>\n
Mostly all the production environment are protected by hardware firewall, ask them to open the TCP & UDP 514. You can verify the port opening by issuing the following command from the client.<\/p>\n
\n\n\n\n
\n
[root@client ~]# telnet 192.168.0.105 514\n\u00a0\nTrying 192.168.0.105...\nConnected to 192.168.0.105.\nEscape character is '^]'.<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
If it didn\u2019t give any reply, disable firewall on both client and server.<\/p>\n
Test:<\/strong><\/h3>\n
Monitor the activity from the log server, open the message log.<\/p>\n
\n\n\n\n
\n
[root@server ~]# tailf \/var\/log\/messages<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
Now restart xinetd service on client, Now you can get the service restart message on the syslog server.<\/p>\n
\n\n\n\n
\n
Oct 17 15:06:41 client xinetd[4280]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.\nOct 17 15:06:41 client xinetd[4280]: Started working: 0 available services<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n
By this way you can monitor the other logs such as secure, mail, cron logs etc.<\/p>\n","protected":false},"excerpt":{"rendered":"
Today we will be looking into how to setup a centralized log management for Linux servers, this will help the Linux admin to have a multiple server logs into one single place. The Linux admin…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-278","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/comments?post=278"}],"version-history":[{"count":0,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/posts\/278\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/media?parent=278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/categories?post=278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asianux.org.vn\/index.php\/wp-json\/wp\/v2\/tags?post=278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}