Rsyslog is user to aggregate the logs from n number of Linux servers and store it at one place. In Linux operating systems Rsyslog package is available by default. In order to check whether the package is installed run the following command.
#rpm -qa | grep rsyslog
Steps to Configure rsyslog server:
The main rsyslog configuration file is located at /etc/rsyslog.conf, which loads modules, defines the global directives, contains rules for processing log messages and it also includes all config files in /etc/rsyslog.d/ for various applications/services. Open the file ( /etc/rsyslog.conf ) using your favorite editor and make the following changes .
As per the above file uncomment the ModLoad imuxsock and ModLoad imjournal lines in the file for importing structured log messages from systemd journal and for accepting syslog messages from applications running on the local system via Unix sockets, respectively.
In order to setup rsyslog as a network/central logging server, you need to set the protocol (either UDP or TCP or both) it will use for remote syslog reception as well as the port it listens on.
Add the below details at the end if the file ( /etc/rsyslog.conf ) .
Looking at the above ruleset, the first rule is “$template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log””.
The directive $template tells rsyslog daemon to gather and write all of the received remote messages to distinct logs under /var/log, based on the hostname (client machine name) and remote client facility (program/application) that generated the messages as defined by the settings present in the template RemoteLogs.
The second line “*.* ?RemoteLogs” means record messages from all facilities at all severity levels using the RemoteLogs template configuration.
The final line “& ~” instructs rsyslog to stop processing the messages once it is written to a file. If you don’t include “& ~”, messages will instead be be written to the local files.
Once all the above changes are made to the file( /etc/rsyslog.conf ) save and close the file and restart the rsyslog demond by running the below command.
# sudo systemctl restart rsyslog
Ensure port 514 is opened and allowed to communicate with the clients.
Steps to Configure rsyslog client:
In the client system, open the file /etc/rsyslog.conf and enter the remote rsyslog server details to send the logs.
#remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
### end of the forwarding rule
After adding the remote server details restart the rsyslog demond and check whether the logs are sent to the remote server in the configured path.