How do you experience when something goes wrong on your system. You look at the system logs, of course! In all seriousness, understanding system logging is important so that you can troubleshoot when something went wrong. In Linux system we have syslog which captures every activity occurring on the system. Generally logs are stored on the local system at location “/var/log/messages” .However we can configure centralized syslog server where we can dump all the logs centrally to monitor all the logs in one go.
In this Demo we are going to configure centralized syslog server which will be “rhel1” system. So “rhel1” will receive logs from the other system say “RHEL2” over a network.
So Let’s begin to configure centralized syslog server “rhel1”.
Steps:
At the server side “rhel1”:
- login to server “rhel1”
- change following lines of code in the file “/etc/rsyslog.conf”From
# Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerRun 514
to
# Provides UDP syslog reception $ModLoad imudp.so $UDPServerRun 514
Basically you need to uncomment these two lines in the file “/etc/rsyslog.conf”. Changing above lines of code provides “rhel1” server to recept the logs with UDP port 514.
- Restart syslog service:
[root@rhel1 ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
- Configure the following rule if you have iptables enabled.
[root@rhel1 ~]# iptables -I INPUT 5 -p udp -m udp --dport 514 -j ACCEPT
- Now save this iptables rules and restart it using below command:
[root@rhel1 ~]# service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@rhel1 ~]# service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ]
Here server side configuration is complete.
At the client side “RHEL2”:
You can configure client system “RHEL2” to send all or some categories of logs to centralized server “rhel1”. Basically you need to change following entries in “/etc/rsyslog.conf”on the server “RHEL2”. Below is the basic syntax of the same.
<log file> @<hostname or IP of system (local or remote)>
1.In our demo we are changing the “authpriv” logs which captures non-system authorization messages. Change the following entry in “/etc/rsyslog.conf” and save the file.
# The authpriv file has restricted access. authpriv.* @192.168.216.134
In the above example “192.168.216.134” is the ip address of our rhel1 system which is our centralized syslog server.
2. Restart the syslog service on “RHEL2”
[root@RHEL2 ~]# service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ]
Testing:
For testing login and logout on the system “RHEL2”. You can see the logs are getting updated “/var/log/secure” file on the server “rhel1” as below:
Which means we have successfully performed activity of “configure centralized syslog server”.