I was strugling a bit to find a good example of how to create a syslog server on Centos 7 that is able to split out the log files based on server and date.
While rsyslog can do this for you, I had to scrape a bit to find the proper bits of information. So I document it here for others to find it.
The steps on a basic Centos 7 server
- Install ryslog
- Create the configuration file
- Start rsyslog
- Punch a whole in the firewall for syslog
Install rsyslog
Use the following command:
sudo yum install rsyslog
Create the configuration file
I created an additional configuration file in /etc/rsyslog.d/remote.conf:
Module (load="imudp") Input (type="imudp" port="514" ruleset="Remote")$template RemoteLogs, "/var/log/syslog/%fromhost-ip%/%$year%/%$month%/%$year%%$month%%$day%-%fromhost-ip%-%syslogfacility-text%.log"Ruleset (name="Remote") { Action (type="omfile" dynafile="RemoteLogs") }
The syslog directory tree is build based on:
- IP address of syslog device
- Year
- Month
The files are split per day and syslog facility.
The files require root access by default so you may want to play with settings access right to a specific group and give that group read access.
SELINUX
If you have SELINUX on. And this is default situation with Centos 7 there will be a problem if you want to write outside the scope of /var/log
So if you want to write for example to /home/syslog/logs instead of /var/log/syslog you need to tell SELINUX that this is OK.
chcon system_u:object_r:var_log_t:s0 /home/syslog/logs>
Start rsyslog
Start syslog with:
sudo systemctl restart rsyslog
Make it reboot proof with:
sudo systemctl enable rsyslog
Verify the status with:
sudo systemctl status rsyslog
Punch a whole in the firewall for syslog
Allow UDP port 514 incoming traffic:
sudo firewall-cmd --zone=public --add-port=514/udp --permanent
And reload the firewall policy to activate it:
sudo firewall-cmd --reload
Reacties
Op dit artikel kan niet gereageerd worden.