Table of Contents
What is rsyslog logserver?
Rsyslog is an open-source software utility that provides a reliable and efficient way to manage log messages in Unix and Linux-based systems. It is an enhanced version of the original syslog protocol and is widely used for logging system messages, application logs, and other types of event notifications.
Key Features of Rsyslog logserver:
- Centralized Logging: Rsyslog allows you to configure a centralized logging server (often referred to as a log server) that collects log messages from multiple client machines. This centralization simplifies log management and monitoring.
- Flexible Configuration: Rsyslog offers a highly flexible configuration system, allowing administrators to define how and where logs are processed, filtered, and stored. This includes options for log rotation, file formats, and destination types.
- Support for Multiple Protocols: Rsyslog supports various protocols for log transmission, including TCP, UDP, and RELP (Reliable Event Logging Protocol). This flexibility enables secure and reliable log transport.
- High Performance: Rsyslog is designed to handle high volumes of log messages efficiently, making it suitable for enterprise environments with numerous servers and applications generating logs.
- Modular Architecture: Rsyslog has a modular design, allowing users to extend its functionality through plugins. This includes support for additional log formats, databases, and external services.
- Filtering and Processing: Rsyslog can filter and process log messages based on content, enabling advanced routing and handling of logs. This feature is useful for prioritizing critical logs or directing them to specific storage solutions.
- Integration with Other Tools: Rsyslog can be integrated with various log analysis and monitoring tools, such as ELK Stack (Elasticsearch, Logstash, Kibana), Splunk, and others, to enhance log analysis capabilities.
When logs are collected with rsyslog logserver, three important things must be taken into consideration:
- Facility level: what type of processes to monitor.
- Severity (priority) level: what type of log messages to collect.
- Destination: where to send or record log messages
What is the profile of rsyslog logserver?
This is also called as rsyslog server. The requirements are given below.
Package : rsyslog*
Deamon : rsyslog
Port No. : 514
Configuration file :/etc/rsyslog.conf
Setting a Centralized rsyslog logserver
(i) Install rsyslog package by command if not installed already.
# dnf install rsyslog* -y
(ii) Verify the installation
[root@TechArticles ~]# rpm -q rsyslog rsyslog-8.2102.0-7.el8.x86_64
(iii) Open the log server configuration and file and edit as per requirements.
# vim /etc/rsyslog.conf
Uncommenton these lines then save and exit this file
module(load="imudp") # needs to be done just once input(type="imudp" port="514")
Please Note: The UDP protocol allows for faster data delivery than the TCP protocol but not reliable.
To configure Rsyslog daemon to bind and listen to a TCP socket on 514 port, uncomment the following lines in the /etc/rsyslog.conf configuration file.
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
(iv) Enable the server to start at boot and restart the logserver deamon.
# systemctl restart rsyslog # systemctl enable rsyslog
(v) Verify whether the log server is listening or not.
# [root@TechArticles ~]# netstat -ntulp | grep 514 tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2493/rsyslogd tcp6 0 0 :::514 :::* LISTEN 2493/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 2493/rsyslogd udp6 0 0 :::514 :::* 2493/rsyslogd [root@TechArticles ~]#
(v) Now add below lines in the /etc/rsyslog.conf configuration file to create template for receiving remote messages, This will instruct the local Rsyslog server where to save logs received from Syslog clients.
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs
Note: The above parameter will instruct rsyslog server to fetch and write all the received logs based on the remote client application that generated the log.
All logs files received from the remote client will be saved in rsyslog server local fs in /var/log/ directory with the client machine hostname.
(vi) Allow the the log server service on firewall.
Add the 514 tcp port no. to the firewall
# firewall-cmd --permanent --add-port=514/tcp
Add the 514 udp port no. to the firewall
# firewall-cmd --permanent --add-port=514/udp
Reload the firewall configuration
# firewall-cmd --complete-reload
Note: The above command will allow 514 port access for the public. I will suggest adding the rich-rule and permitting access to port 514 to only specific IPs or networks in production environment.
Below commands will help to add rich-rule with specific IPs or Network.
# firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="xxx.xxx.xxx.0/21" port port="514" protocol="tcp" accept' # firewall-cmd --permanent --add-rich-rule 'rule family="ipv4" source address="xxx.xxx.xxx.xxx/21" port port="514" protocol="udp" accept' # firewall-cmd --reload
After making the above changes, restart the rsyslog service using the following command to apply the latest changes.
# systemctl restart rsyslog
For more complex configuration of rsyslog server please follow the rsyslog documentation.
The server now operates as a centralized log server and records messages from Syslog clients after restarting the rsyslog logserver service.
To confirm the rsyslog running and scoket listning you can run the netstat or ss command with grep to filter the rsyslog.
[root@TechArticles ~]# netstat -tunlp | grep rsyslog
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2493/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 2493/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 2493/rsyslogd
udp6 0 0 :::514 :::* 2493/rsyslogd
[root@TechArticles ~]#
OR
[root@TechArticles ~]# ss -tunlp| grep rsyslog
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=2493,fd=4))
udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=2493,fd=5))
tcp LISTEN 0 25 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=2493,fd=6))
tcp LISTEN 0 25 [::]:514 [::]:* users:(("rsyslogd",pid=2493,fd=7))
[root@TechArticles ~]#
If netstat is not install already on the server you can install it by following command.
# dnf install net-tools
Configure rsyslog logserver Client machine
Configure Rsyslog Logserver Client machine for Enhanced Log Management in Your Network Architecture
To optimize log management in your network architecture, it’s essential to configure the Rsyslog logserver client effectively. Rsyslog logserver is a powerful, free, and open-source logging application widely used across various Linux distributions, including CentOS 8, RHEL 8, RockyLinux 8, AlmaLinux 8, and Ubuntu Linux.
Log management is a critical component of any network architecture. Various elements of system software—such as utilities, programs, daemons, network services, kernels, and physical devices—continuously generate log messages. These log files are invaluable for debugging Linux system faults, monitoring system performance, and assessing security strengths and weaknesses.
I am going to configure the Rsyslog server on the client machine, enabling the daemon to utilize TCP or UDP transport protocols to send log messages to a remote Rsyslog server. Furthermore, Rsyslog can be set up to operate as both a client and a server, offering enhanced flexibility in my logging architecture.
By properly configuring the Rsyslog logserver client, you can enhance your log management capabilities, ensuring that your network operates smoothly and securely.
1. Verify and Install rsyslog logserver tool on the client machine.
On a CentOS/RHEL system, the Rsyslog service is already installed and operating. To see if the rsyslog service is running on your system, use the following commands: # rpm -q rsyslog and # rsyslogd -v.
[root@client ~]# rpm -q rsyslog
rsyslog-8.2102.0-7.el8.x86_64
[root@client ~]# rsyslogd -v
rsyslogd 8.2102.0-7.el8 (aka 2021.02) compiled with:
PLATFORM: x86_64-redhat-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64
You can install the Rsyslog package by following command if already not installed.
# dnf install rsyslog
2. Configuring rsyslog logserver Service on client machine
(i) Open the log server configuration file by command.
# vim /etc/rsyslog.conf
(ii) Goto end of the file and type as below.
*.* @<log server IP address>:514
For Example: *.* @172.25.9.11:514 (save and exit this file)
(iii) If the remote log server is set to only accept TCP connections, or if you wish to utilize a dependable transport network protocol, such as TCP, put another @ character in front of the remote host, as seen below:
*.* @@<log server IP address>:514
(iv) Restart the log server service.
# systemctl restart rsyslog # systemctl enable rsyslog
* Then all the log messages are stored in /var/log/secure location.
* To monitor all the messages on the server by command.
# tailf /var/log/secure
*Open the /etc/rsyslog.conf file and type as below to store all the client’s log messages in remote log server only.
# vim /etc/rsyslog.conf
*.* /var/log/secure (save and exit this file)
* Then restart the log server deamons.
# systemctl restart rsyslog
That’s all there is to it! rsyslog logserver client is now set up to Send Logs to the Rsyslog Server.
Conclusion
In conclusion, the Rsyslog log server configuration is a crucial step in establishing a robust logging infrastructure that enhances system monitoring and troubleshooting capabilities. By effectively setting up Rsyslog, organizations can ensure that log data is collected, processed, and stored efficiently, allowing for real-time analysis and improved security. Proper configuration of the Rsyslog log server not only streamlines log management but also supports compliance with regulatory requirements. Overall, investing time in the Rsyslog log server configuration will lead to better visibility into system performance and potential issues, ultimately contributing to a more secure and reliable IT environment.
==================================================================================
Was this article of use to you? Post your insightful thoughts or recommendations in the comments section if you don’t find this article to be helpful or if you see any outdated information, a problem, or a typo to help this article better.
==================================================================================
