{"id":848,"date":"2022-03-22T07:20:59","date_gmt":"2022-03-22T06:20:59","guid":{"rendered":"https:\/\/www.gonscak.sk\/?p=848"},"modified":"2022-03-22T07:21:00","modified_gmt":"2022-03-22T06:21:00","slug":"configuring-a-remote-logging-solution-rsyslog","status":"publish","type":"post","link":"https:\/\/www.gonscak.sk\/?p=848","title":{"rendered":"Configuring a remote logging solution – rsyslog"},"content":{"rendered":"\n
https:\/\/unixcop.com\/how-to-install-syslog-server-and-client-centos8\/<\/pre>\n\n\n\n
With so much complex information produced by multiple applications and systems, administrators need a way to review the details, so they can understand the cause of problems or plan appropriately for the future.<\/p>\n\n\n\n
The Syslog<\/strong> (System Logging Protocol<\/strong>) system on the server can act as a central log monitoring point over a network where all servers, network devices, switches, routers and internal services that create logs, whether linked to the particular internal issue or just informative messages can send their logs.<\/p>\n\n\n\n
To ensure that logs from various machines in your environment are recorded centrally on a logging server, you can configure the Rsyslog<\/strong> application to record logs that fit specific criteria from the client system to the server.<\/p>\n\n\n\n
The Rsyslog application, in combination with the systemd-journald<\/code> service, provides local and remote logging support.<\/p>\n\n\n\n
In order to set up a centralized log server on a CentOS\/RHEL 8<\/strong> server, you need to check an confirm that the \/var<\/code> partition has enough space (a few GB minimum) to store all recorded log files on the system that send by other devices on the network. I recommend you to have a separate drive (LVM<\/strong> or RAID<\/strong>) to mount the \/var\/log\/<\/code> directory.<\/p>\n\n\n\n
Rsyslog<\/strong> service is installed and running automatically in CentOS\/RHEL 8<\/strong> server. In order to verify that the daemon is running in the system, run the following command<\/p>\n\n\n\n
systemctl status rsyslog.service<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
If the service is not running by default, run the following command to start rsyslog<\/strong> daemon:<\/p>\n\n\n\n
systemctl start rsyslog.service<\/pre>\n\n\n\n
Now, in the \/etc\/rsyslog.conf<\/strong> configuration file, find and uncomment the following lines to grant UDP transport reception to the Rsyslog<\/strong> server via 514<\/strong> port. Rsyslog<\/strong> uses the standard UDP<\/strong> protocol for log transmission.<\/p>\n\n\n\n
vim \/etc\/rsyslog.conf\n\nmodule(load=\"imudp\") # needs to be done just once\ninput(type=\"imudp\" port=\"514\")<\/pre>\n\n\n\n
The UDP protocol doesn\u2019t have the TCP<\/strong> overhead, and it makes data transmission faster than the TCP<\/strong> protocol. On the other hand, the UDP<\/strong> protocol doesn\u2019t guarantee the reliability of transmitted data.<\/p>\n\n\n\n
However, if you want to use TCP<\/strong> protocol for log reception you must find and uncomment the following lines in the \/etc\/rsyslog.conf<\/strong> the configuration file in order to configure Rsyslog daemon to bind and listen to a TCP socket on 514<\/strong> port.<\/p>\n\n\n\n
module(load=\"imtcp\") # needs to be done just once\ninput(type=\"imtcp\" port=\"514\")<\/pre>\n\n\n\n
Now create a new template for receiving remote messages, as this template will guide the local Rsyslog server, where to save the received messages send by Syslog network clients:<\/p>\n\n\n\n
$template RemoteLogs,\"\/var\/log\/%PROGRAMNAME%.log\" \n*.* ?RemoteLogs<\/pre>\n\n\n\n
The $template RemoteLogs<\/code> directive guides Rsyslog daemon to gather and write all of the transmitted log messages to distinct files, based on the client name and remote client application that created the messages based on the outlined properties added in the template configuration: %PROGRAMNAME%<\/code>.<\/p>\n\n\n\n
All received log files will be written to the local filesystem to an allocated file named after the client machine\u2019s hostname and kept in \/var\/log\/<\/strong> directory.<\/p>\n\n\n\n
The & ~<\/code> redirect rule directs the local Rsyslog server to stop processing the received log message further and remove the messages (not write them to internal log files).<\/p>\n\n\n\n
The RemoteLogs<\/code> is an arbitrary name given to this template directive. You can use whatever name you want that best suitable for your template.<\/p>\n\n\n\n
To configure more complex Rsyslog templates, read the Rsyslog configuration file manual by running the man rsyslog.conf<\/strong> command or consult Rsyslog online documentation<\/a>.<\/p>\n\n\n\n
Now, we exit our configuration file and restart the daemon:<\/p>\n\n\n\n
service rsyslog restart\n\nsystemctl status rsyslog.service\n....\nFeb 25 14:43:06 syslog-new rsyslogd[1668]: imjournal: journal files changed, reloading..<\/em>. <\/pre>\n\n\n\n
Once you restarted the Rsyslog<\/strong> server, it should now act as a centralized log server and record messages from Syslog clients. To confirm the Rsyslog network sockets, run netstat<\/strong> command:<\/p>\n\n\n\n
netstat -tulpn | grep rsyslog <\/pre>\n\n\n\n
If we don’t have this command, run this, to find out, which packages have it:<\/p>\n\n\n\n
dnf provides netstat\n\nLast metadata expiration check: 2:06:49 ago on Fri 25 Feb 2022 12:38:49 PM CET.\nnet-tools-2.0-0.52.20160912git.el8.x86_64 : Basic networking tools\nRepo        : baseos\nMatched from:\nFilename    : \/usr\/bin\/netstat<\/em><\/pre>\n\n\n\n
So, install package and run it again:<\/p>\n\n\n\n
dnf install net-tools -y<\/pre>\n\n\n\n
netstat -tulpn | grep rsyslog \ntcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      1668\/rsyslogd       \ntcp6       0      0 :::514                  :::*                    LISTEN      1668\/rsyslogd       \nudp        0      0 0.0.0.0:514             0.0.0.0:*                           1668\/rsyslogd       \nudp6       0      0 :::514                  :::*                                1668\/rsyslogd      <\/pre>\n\n\n\n
To add firewall exceptions for this port, execute following:<\/p>\n\n\n\n
firewall-cmd --permanent --add-service=syslog\nfirewall-cmd --permanent --add-port=514\/tcp #if enabled tcp socket\nfirewall-cmd --reload<\/pre>\n\n\n\n
And now, we can set remote logging on others servers or hardware (switches)…<\/p>\n\n\n\n
On mikrotiks set remote IP for logging, like this:<\/p>\n\n\n\n
\/system\/logging\/action\nset remote remote=10.10.10.10\n\/system\/logging\/\nadd action=remote topics=info\nadd action=remote topics=critical\nadd action=remote topics=error\nadd action=remote topics=warning<\/pre>\n\n\n\n
On cisco switches SG350X:<\/p>\n\n\n\n
configure\nlogging host 10.10.10.10 description syslog.example.sk \nlogging origin-id hostname<\/pre>\n\n\n\n
Or we can set on webserver, to sent apache logs to our syslog. First, set apache httpd.conf and vhost conf:<\/p>\n\n\n\n
vim \/etc\/httpd\/conf\/httpd.conf<\/em>\n\nErrorLog \"||\/usr\/bin\/logger -t apache -i -p local4.info\"\n    LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined\n    LogFormat \"%h %l %u %t \\\"%r\\\" %>s %b\" common\n\nvim \/etc\/httpd\/conf.d\/0-vhost.conf<\/em>\n...\n    LogFormat \"%v %h %l %u %t \\\"%r\\\" %>s %b \\\"%{Referer}i\\\" \\\"%{User-agent}i\\\"\" vhostform\n    CustomLog \"||\/usr\/bin\/logger -t apache -i -p local4.info\" vhostform<\/pre>\n\n\n\n
And now, set on webserver rsyslog, to sent logs to our syslog, :<\/p>\n\n\n\n
vim \/etc\/rsyslog.conf<\/em>\n\n#### OWN RULES ####\nlocal4.info                                             @@10.10.10.10<\/pre>\n\n\n\n
Now, we can see, that our logs are on syslog. There, we can set filter to separate logs into own directories and files based on hostname, IPs… This I explain later (we alter rsyslog to syslog-ng package.<\/p>\n ","protected":false},"excerpt":{"rendered":"
https:\/\/unixcop.com\/how-to-install-syslog-server-and-client-centos8\/ With so much complex information produced by multiple applications and systems, administrators need a way to review the details, so they can understand the cause of problems or plan appropriately for the future. The Syslog (System Logging Protocol) system on the server can act as a central log monitoring point over a network where … Continue reading Configuring a remote logging solution – rsyslog<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[116,16,8,51,141],"class_list":["post-848","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-centos-8","tag-disk","tag-linux","tag-lvm","tag-syslog"],"_links":{"self":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=848"}],"version-history":[{"count":11,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/848\/revisions"}],"predecessor-version":[{"id":866,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=\/wp\/v2\/posts\/848\/revisions\/866"}],"wp:attachment":[{"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gonscak.sk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}