Configuring Syslog in Red Hat Enterprise Linux 6

So, I was having a discussion with a friend who has requested a few articles on systems monitoring. As many monitoring solutions utilize central logging, I thought I would start off with a good old fashioned Syslog server.

In this example, I use the below details

Syslog Server: syslog.example.com
Client Server: server01.example.com

Setting up Syslog is really quite simple. Start by making sure you have the rsyslog package installed.
This will most likely already be the case, as local syslog is actually already used for local system logging.

[root@syslog ~]# yum install -y rsyslog

Next, we need to tell rsyslog to accept remote TCP and UDP syslog requests.

At the top of the file “/etc/rsyslog.conf”, at the top of the file, change the below lines

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

to this

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Once you have saved your changes, restart the rsyslog service

[root@syslog ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@syslog ~]#

Lastly, you’ll need to open the syslog ports on your local firewall.

[root@syslog ~]# iptables -I INPUT -p tcp --dport 514 -j ACCEPT
[root@syslog ~]# iptables -I INPUT -p udp --dport 514 -j ACCEPT
[root@syslog ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@syslog ~]#

 

That’s it for the server side configuration. Now we need to point some clients to your new syslog server.

Firstly, make sure rsyslog is installed. Again, this should be part of your base install so you will see it is already installed.

[root@server01 ~]# yum install rsyslog

Next, we need to point our server to the new syslog installation
Edit “/etc/rsyslog.conf” and under the #### RULES #### section, add the below line to enable ALL syslog events to be sent to the remote server

*.* @syslog.example.com

Should you wish to, for example, only send mail logs to the syslog server, you would add the below line.

mail.* @syslog.example.com

Once you save your changes, restart your rsyslog service

[root@server01 ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@server01 ~]#

As always, with any implementation, you should always test your changes to make sure it has worked.
To check your settings, tail all the logs on your syslog server as follows

[root@syslog ~]# tail -f /var/log/*

Next, you will need to trigger an event on your client system which will send its logs to Syslog.
For example, installing something via yum. For this purpose, I have run “yum install vsftpd”

You will see the below appear in the logs on your syslog server.

==> /var/log/messages <==
Aug 18 19:15:25 server01 yum[8804]: Installed: vsftpd-2.2.2-11.el6.x86_64

 

If your logs have appeared, then you have configured your server and client correctly and remote logging is working successfully.
You will notice that your system’s hostname will appear in the remote logs. Here it is seen as “server01”. This will identify which logs are coming from which server.

 

5 comments on “Configuring Syslog in Red Hat Enterprise Linux 6

  1. phanite September 3, 2013 15:28

    Excellent Thanks! this is what exactly i was looking for cheers! mate

  2. Rambo Rajkumar September 4, 2013 13:53

    This is really useful …a great time saver 🙂

  3. nader October 2, 2013 07:55

    thanks

  4. zafer March 20, 2014 14:49

    Neat & clean.. thank you so much

  5. Johnny Random June 11, 2014 21:45

    There’s a fairly standard command, “logger”, which you can use to test logging, without touching other parts of the system.

Leave a Reply to zafer Cancel Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>