In this post i will share on how to setup Central log server using Rsyslog on linux CentOS 6.2 and it’s also working on CentOS6.3. This rsyslog central server will archive all logging messages(/var/log/messages) from it’s client. This logging messages might be helpful as these logs are very critical for system administrator for troubleshooting purpose.
/var/log/messages – Contains global system messages, including the messages that are logged during system startup. There are several things that are logged in /var/log/messages including mail, cron, daemon, kern, auth, etc.
Assumed that the central log server and client ip address are as below :
Central rsyslog Server : 192.168.1.55(syslogserver)
Rsyslog client : 192.168.1.54(rsyslogclient)
Configure Central Rsyslog Server :
1. Login to Central Rsyslog Server. First we need to backup default rsyslog.conf configuration :
[root@rsyslogserver ~]# cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
2. Modify rsyslog configuration files :
[root@rsyslogserver ~]# vi /etc/rsyslog.conf
3. Loads the modules we need :
#### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability
4. Listen on tcp and udp 514 :
# Provides UDP syslog reception $ModLoad imudp.so $UDPServerAddress 0.0.0.0 $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp.so $InputTCPServerRun 514
5. Sets the default templates :
# Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
6. Implement logging rules :
#### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
7. Add the followings line in the forwarding rule :
# ### begin forwarding rule ### .. .. # # This one is the template to generate the log filename dynamically, depending on the client's IP address. $template FILENAME,"/var/log/rsyslog/%fromhost-ip%/messages-%$YEAR%-%$MONTH%-%$DAY%.log" # # Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME. *.* ?FILENAME .. .. # ### end of the forwarding rule ###
8. Create rsyslog folder under /var/log :
[root@rsyslogserver ~]# mkdir /var/log/rsyslog
9. After adding the above lines to the rsyslog.conf, you need to restart the rsyslog process and it’s will ready to accept messages from configured client :
[root@rsyslogserver ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
Configure Rsyslog Remote Client :
1. Login to individual client machines and set the following :
[root@rsyslogclient ~]# vim /etc/rsyslog.conf
2. Loads the modules we need :
#### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability
3. Enable “*.* @192.168.1.55:514” at the forwarding rule :
# ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional *.* @192.168.1.55:514 # ### end of the forwarding rule ### #
4. Restart the rsyslog service on the client :
[root@rsyslogclient ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
Verification :
Login and verify the log files from central rsyslog server, rsyslogserver :
[root@rsyslogserver ~]# ls /var/log/rsyslog/192.168.1.54/ messages-2012-09-16.log
Check the log :
[root@rsyslogserver ~]# tail -f /var/log/rsyslog/192.168.1.54/messages-2012-09-16.log Sep 16 11:45:48 rsyslogclient ntpd[1359]: synchronized to 212.26.18.43, stratum 1 Sep 16 11:46:34 rsyslogclient clamd[1367]: SelfCheck: Database status OK. Sep 16 11:53:47 rsyslogclient ntpd[1359]: time reset +2.330541 s Sep 16 11:56:36 rsyslogclient clamd[1367]: SelfCheck: Database status OK. Sep 16 11:58:32 rsyslogclient ntpd[1359]: synchronized to 212.26.18.43, stratum 1 Sep 16 12:01:01 rsyslogclient CROND[11208]: (root) CMD (run-parts /etc/cron.hourly) Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1120 starting 00awstats Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1121 finished 00awstats Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1120 starting 0anacron Sep 16 12:01:01 rsyslogclient run-parts(/etc/cron.hourly)[1122 finished 0anacron Sep 16 12:06:36 rsyslogclient clamd[1367]: SelfCheck: Database status OK.