How to configure centralized rsyslog server on Rocky Linux & Alma Linux

by

This tutorial describes how to configure centralized rsyslog server on Rocky Linux and Alma Linux using Rsyslog. Since you won’t need to go into each server to examine its logs, especially if there are a lot of servers, a centralized arrangement like this is advantageous for managing logs from several servers.

All client servers’ log entries will be sent to the host server via centralized logging, allowing for single-point monitoring, analysis, and archiving of the data. Self-hosted log management systems may be a better choice in some situations, but cloud-hosted solutions are typically preferred for their simplicity of setup, extensive feature set, and clear pricing.

Rsyslog is a popular and good option for setting up centralized logging. It may also apply specific changes to incoming log entries before forwarding them to different locations.

Pre-requisite

We will require two nodes here –

  • Rocky Linux 8 or 9 (AlmaLinux 8 or 9 )- For configuring central rsyslog server
  • Any one of RHEL, Rocky, Alma, CentOS Stream, Fedora – For configuring rsyslog client

If you need support for Rocky Linux Installation refer How to Install Rocky Linux

Install Rsyslog on Rocky Linux

The default Rocky Linux / Alma Linux repositories contain the Rsyslog program, which is frequently pre-installed. However, it may also be installed using the command

sudo yum install rsyslog

Configure Server over TCP for remote logging

Both the server and the client must be configured in order to use TCP for logging. Gathering and examining the logs that the clients send in is the server’s responsibility. When the action queue is activated, TCP is helpful. When the server is offline, the action queue helps prevent message loss by storing the messages until the server is accessible. I will be using port 6514 here in this tutorial.

Allow the ports in the firewall 

sudo firewall-cmd --zone=public --permanent --add-port=6514/tcp
sudo firewall-cmd --reload

Configure the SELInux label 

sudo semanage port -a -t syslogd_port_t -p tcp 6514

Create the file named /etc/rsyslog.d/remotelog.conf

sudo vi /etc/rsyslog.d/remotelog.conf

Add the below content to the above file 

# Define templates before the rules that use them

# Per-Host templates for remote systems

template(name="TmplAuthpriv" type="list") {

    constant(value="/var/log/remote/auth/")

    property(name="hostname")

    constant(value="/")

    property(name="programname" SecurePath="replace")

    constant(value=".log")

    }
template(name="TmplMsg" type="list") {

    constant(value="/var/log/remote/msg/")

    property(name="hostname")

    constant(value="/")

    property(name="programname" SecurePath="replace")

    constant(value=".log")

    }
# Provides TCP syslog reception

module(load="imtcp")
# Adding this ruleset to process remote messages

ruleset(name="remote1"){

     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")

      *.info;mail.none;authpriv.none;cron.none

action(type="omfile" DynaFile="TmplMsg")

}

input(type="imtcp" port="6514" ruleset="remote1")

Save the file and now let us check the syntax

$ rsyslogd -N 1
rsyslogd: version 8.2102.0-5.el8, config validation run (level 1), master config /etc/rsyslog.conf

rsyslogd: End of config validation run. Bye.

Enable and restart the service

sudo systemctl restart rsyslog
sudo systemctl enable rsyslog

Configure the Client over TCP for remote Logging

Now its time to configure the client to send the logs over the TCP. Please make sure the client is installed with the rsyslog packages. Also, please make sure the Firewall port is opened and the same is allowed in the SELinux

Create the file /etc/rsyslog.d/remotelog.conf

$ sudo vi /etc/rsyslog.d/remotelog.conf

Add the below content to the above file 

*.* action(type="omfwd"

      queue.type="linkedlist"

      queue.filename="example_fwd"

      action.resumeRetryCount="-1"

      queue.saveOnShutdown="on"

      target="rsyslogserver.linuxquery.org" port="6514" protocol="tcp"

     )

Let us briefly understand about all the above parameters in the file

  • queue.type=”linkedlist” enables a LinkedList in-memory queue
  • queue.filename defines a disk storage
  • action.resumeRetryCount -1 prevents Rsyslog from dropping messages when retrying to connect if the server is unavailable.
  • target=”rsyslog.linuxquery.org” port=”6514″ protocol=”TCP” this our syslog server(rsyslog.linuxquery.org) and port to receive the messages

Restart the services 

sudo systemctl restart rsyslog

Now at this stage since both the server and clients is configured its time to test the logging of the logs. So let us try to send the logs from the clients to the server using the simple command 

logger test

Now move to the Server and check if you have received the logs 

cat /var/log/remote/msg/<ip or hostname>/<user>.log

Replace <ip or hostname> with the actual clinet hostname or IP and <user> with user name of the user that entered the logger command on the client.

Similarly we can also configure the rsyslog to send logs over the UDP which we will discus in some other blog.

Conclusion

Using Rsyslog, you established a centralized logging service in this lesson. After talking about the benefits of a centralized logging service, we set up the host Rsyslog server, which will store each client’s log entries individually. After that, we tested our setup to make sure it was operating as intended and set up a client server to transmit logs to the central server.

You may now send logs from as many clients as you like to the centralized server. Make sure that each client has a unique hostname in order to ensure that each client’s log entry is kept in its own directory. Additionally, remember to use log rotation on the host server to stop the log files from being too big and to have the logs that are older than a predetermined number of days or weeks automatically deleted.

Leave a comment