1. Home
  2. Notes
  3. Building a central rsyslog server (CentOS 6)

Building a central rsyslog server (CentOS 6)

  • June 16, 2016
  • Category: Linux

A setup on CentOS 6 with rsyslog sending the logs to a MariaDB database in addition to storring them locally.

Steps

1. Installing rsyslog v8
2. Configuring rsyslog
3. Creating a config file for internal servers
4. Adding database logging
5. Adding iptables rules
6. Configuring clients

1. Installing rsyslog v8

Add rsyslog repo:

/etc/yum.repos.d/rsyslog_v8.repo

[rsyslog_v8]
name=Adiscon CentOS-$releasever - local packages for $basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
protect=1

yum update

rsyslogd -v

rsyslogd 8.18.0, compiled with:
    PLATFORM:               x86_64-redhat-linux-gnu
    PLATFORM (lsb_release -d):      
    FEATURE_REGEXP:             Yes
    GSSAPI Kerberos 5 support:      No
    FEATURE_DEBUG (debug build, slow code): No
    32bit Atomic operations supported:  Yes
    64bit Atomic operations supported:  Yes
    memory allocator:           system default
    Runtime Instrumentation (slow code):    No
    uuid support:               Yes
    Number of Bits in RainerScript integers: 64

See http://www.rsyslog.com for more information.

service rsyslog restart

2. Configuring rsyslog

/etc/rsyslog.conf

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

3. Creating a config file for internal servers

/etc/rsyslog.d/lan_servers.conf

$template
DailyPerHostLogs,"/var/log/syslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%_messages.log"
*.info;authpriv.none;cron.none                -?DailyPerHostLogs

4. Adding database logging

Sending logs to a MariaDB database

/etc/rsyslog.conf

$ModLoad ommysql
*.* :ommysql:192.168.122.143,rsyslogdb,rsysloguser,somepassword

5. Adding iptables rules 

iptables -I INPUT 10 -s 192.168.122.0/24 -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
iptables -I INPUT 11 -s 192.168.122.0/24 -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

6. Configuring clients

On one of the postfix servers (sending over tcp):

/etc/rsyslog.d/central_syslog.conf

*.*     @@192.168.122.151

/etc/rsyslog.d/maillog_to_remote.conf

mail.*  @@192.168.122.151

Docs

Setup Centralized Log Server Using Rsyslog And LogAnalyzer On CentOS, RHEL, Scientific Linux 6.5/6.4
Configuring a syslog server on RHEL/CentOS 6
How to install and configure a SysLog Server
More complex scenarios