Rsyslog As A Central Logging Server ?>

Rsyslog As A Central Logging Server

rsyslog

Before understanding how to setup the central logging sever, it is good to understand the configuration structure of rsyslog.
Configuration structure
Rsyslog configuration files are structed in the following manner
1. Modules
2. Configuration Directives
3. Rule line
Module
Rsyslog has a modular architecture. It enables functionalities to be added dynamically through these modules. The modules are categorized as:
• Input Modules – Used to gather messages from various sources
• Output Modules – Used to write the messages to various places ( file, socket etc.. )
• Parser Modules – Used to parse the message content
Please note that there are also other categories of modules available. This is to give an overview of
what modules can do.
Configuration directives
All configuration directives must be specified one per line and must start with dollar sign ($). It
affects the rules.
Rule line
Every rule line consists of two fields, a ‘selector field’ and an ‘action field’. The selector field is
divided into two, ‘facilities & priorities’. Action specifies what action must be taken for the
matched rule.

Templates
Templates are a very important features provided by rsyslog. It allows the user to log the messages
in their desirable format. It can also be used to create dynamic file names to log the messages. In
case of database logging, the templates are used to convert the message into a proper SQL
statement.
A sample template will look like:

template

 

Step A: configure syslog server
1. first we need install rsyslog service at server, rsyslog is default installed in ubuntu 14.04 LTS, if you system doesn’t have rsyslog service use following command to install rsyslog service in server or client

#apt-get install rsyslog

2. After installing, start rsyslog service and make sure rsyslog running in server

#service rsyslog status

3. check firewall status, if you need active the firewall you must define a rules to allow client to forward syslog to syslog server.

#service ufw status

4. now we need edit rsyslog configuration file and add the rules with a template

#nano /etc/rsyslog.conf

templ host

rulsethost

5. Enable module and TCP protocol, with remove comment from following lines (remove #character)

6. restart rsyslog service. After making above changes in rsyslog server configuration. Restart service using following command. And check our syslog server port listen in port 514 tcp

#service rsyslog restart

 

Step B : Configure client
1. After configuring Rsyslog server, now we configure clients system to send there logs to central Rsyslog server. Login to each client nodes and add following line at end of the file

#nano /etc/rsyslog.conf

*.* @@ip_server:514

2. and restart rsyslog service using following commands

#service rsyslog restart

And our centralized logging server setup has been completed successfully. You can check the setup successful or not with tcpdump

Done …

Good luck

Thanks

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *