In this post i will share on how to setup Central log server using Rsyslog on linux CentOS 6.2 and it’s also working on CentOS6.3. This rsyslog central server will archive all logging messages(/var/log/messages) from it’s client. This logging messages might be helpful as these logs are very critical for system administrator for troubleshooting purpose.
/var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
Assumed that the central log server and client ip address are as below :
Central rsyslog Server : 192.168.1.55(syslogserver)
Rsyslog client : 192.168.1.54(rsyslogclient)
Configure Central Rsyslog Server :
1. Login to Central Rsyslog Server. First we need to backup default rsyslog.conf configuration :
[root@rsyslogserver ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
2. Modify rsyslog configuration files :
[root@rsyslogserver ~]# vi /etc/rsyslog.conf
3. Loads the modules we need :
#### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability
4. Listen on tcp and udp 514 :
# Provides UDP syslog reception $ModLoad imudp.so $UDPServerAddress 0.0.0.0 $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 514
5. Sets the default templates :
# Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
6. Implement logging rules :
#### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
7. Add the followings line in the forwarding rule :
# ### begin forwarding rule ### .. .. # # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,"/var/log/rsyslog/%fromhost-ip%/messages-%$YEAR%-%$MONTH%-%$DAY%.log" # # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME .. .. # ### end of the forwarding rule ###
8. Create rsyslog folder under /var/log :
[root@rsyslogserver ~]# mkdir /var/log/rsyslog
9. After adding the above lines to the rsyslog.conf, you need to restart the rsyslog process and it’s will ready to accept messages from configured client :
[root@rsyslogserver ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
Configure Rsyslog Remote Client :
1. Login to individual client machines and set the following :
[root@rsyslogclient ~]# vim /etc/rsyslog.conf
2. Loads the modules we need :
#### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability
3. Enable “*.* @192.168.1.55:514” at the forwarding rule :
# ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @192.168.1.55:514 # ### end of the forwarding rule ### #
4. Restart the rsyslog service on the client :
[root@rsyslogclient ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
Verification :
Login and verify the log files from central rsyslog server, rsyslogserver :
[root@rsyslogserver ~]# ls /var/log/rsyslog/192.168.1.54/ messages-2012-09-16.log
Check the log :
[root@rsyslogserver ~]# tail -f /var/log/rsyslog/192.168.1.54/messages-2012-09-16.log Sep 16 11:45:48 rsyslogclient ntpd[1359]: synchronized to 212.26.18.43, stratum 1 Sep 16 11:46:34 rsyslogclient clamd[1367]: SelfCheck: Database status OK. Sep 16 11:53:47 rsyslogclient ntpd[1359]: time reset +2.330541 s Sep 16 11:56:36 rsyslogclient clamd[1367]: SelfCheck: Database status OK. Sep 16 11:58:32 rsyslogclient ntpd[1359]: synchronized to 212.26.18.43, stratum 1 Sep 16 12:01:01 rsyslogclient CROND[11208]: (root) CMD (run-parts /etc/cron.hourly) Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1120 starting 00awstats Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1121 finished 00awstats Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1120 starting 0anacron Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1122 finished 0anacron Sep 16 12:06:36 rsyslogclient clamd[1367]: SelfCheck: Database status OK.
4 Comments
Very nice summary. If SELinux is enabled then log entries might be preventing from leaving the machine: https://bugzilla.redhat.com/show_bug.cgi?id=728591
Thanks for mentioning this. I’ve been running in loops for a while now. Everything seems configured properly, but client won’t even attempt to send anything to a server (judging by tcpdump’s output).
Nice, entries go into message log, but also pop up on console and any open terminal screen as well. Need something to suppress this.
hi, how to add rule get log from httpd folder ? I try add rule : ” *.* /var/log/httpd/” but not working. help me ? thanks