Syslog server on Centos 7

Publicatiedatum
Reacties Geen

I was strugling a bit to find a good example of how to create a syslog server on Centos 7 that is able to split out the log files based on server and date.

While rsyslog can do this for you, I had to scrape a bit to find the proper bits of information. So I document it here for others to find it.

The steps on a basic Centos 7 server

  1. Install ryslog
  2. Create the configuration file
  3. Start rsyslog
  4. Punch a whole in the firewall for syslog

Install rsyslog

Use the following command:
sudo yum install rsyslog

Create the configuration file

I created an additional configuration file in /etc/rsyslog.d/remote.conf:

Module (load=“imudp”)
Input (type=“imudp” port=“514” ruleset=“Remote”)

$template RemoteLogs, “/var/log/syslog/%fromhost-ip%/%$year%/%$month%/%$year%%$month%%$day%-%fromhost-ip%-%syslogfacility-text%.log”

Ruleset (name=“Remote”) { Action (type=“omfile” dynafile=“RemoteLogs”) }

The syslog directory tree is build based on:

  1. IP address of syslog device
  2. Year
  3. Month

The files are split per day and syslog facility.

The files require root access by default so you may want to play with settings access right to a specific group and give that group read access.

SELINUX

If you have SELINUX on. And this is default situation with Centos 7 there will be a problem if you want to write outside the scope of /var/log

So if you want to write for example to /home/syslog/logs instead of /var/log/syslog you need to tell SELINUX that this is OK.
chcon system_u:object_r:var_log_t:s0 /home/syslog/logs

Start rsyslog

Start syslog with:
sudo systemctl restart rsyslog

Make it reboot proof with:
sudo systemctl enable rsyslog

Verify the status with:
sudo systemctl status rsyslog

Punch a whole in the firewall for syslog

Allow UDP port 514 incoming traffic:
sudo firewall-cmd —zone=public —add-port=514/udp —permanent

And reload the firewall policy to activate it:
sudo firewall-cmd —reload

That’s all folks.

Medewerker
Categorie

Reacties

Op dit artikel kan niet gereageerd worden.

← Ouder Nieuwer →