Configure rsyslog client for remote logging on CentOSrsyslog is an open source utility widely used on Linux systems to forward or receive log messages via
TCP/UDP protocols.
rsyslog daemon can be configured in two scenarios. Configured as a log collector server,
rsyslog daemon can gather log data from all other hosts in the network, which are configured to send their internal logs to the server. In another role,
rsyslog daemon can be configured as a client which filters and sends internal log messages to either a local folder (e.g.
/var/log) or a remote
rsyslog server based on routing facility.
Assuming that you already have a
rsyslog server up and running on your network, this guide will show you how to set up a CentOS system to route its internal log messages to a remote
rsyslog server. This will greatly improve your system's disk usage, especially if you don't have a separate large partition dedicated for
/var directory.
Step One: Install Rsyslog DaemonOn CentOS 6 and 7,
rsyslog daemon comes preinstalled. To verify that
rsyslog is installed on your CentOS system, issue the following command:
# rpm -qa | grep rsyslog
# rsyslogd -v
If for some reason
rsyslog daemon is missing on your system, issue the following command to install it:
# yum install rsyslog
Step Two: Configure Rsyslog Daemon as a ClientThe next step is to transform your CentOS machine into a
rsyslog client which sends all of its internal log messages to the central remote log server.
To do so, open the main
rsyslog configuration file located in /etc path with your favorite text editor:
# nano /etc/rsyslog.conf
After the file is opened for editing, you need to add the following statement at the bottom of the file. Replace the IP address with your remote
rsyslog server's IP address.
*.* @192.168.1.25:514
The above statement tells
rsyslog daemon to route every log message from every facility on the system to the remote
rsyslog server (192.168.1.25) on UDP port 514.
If for some reasons you need a more reliable protocol like TCP, and the
rsyslog server is configured to listen for TCP connections, you must add an extra
@ character in front of the remote host's IP address as in the below excerpt:
*.* @@192.168.1.25:514
Note that you can also replace the IP address of the
rsyslog server with its DNS name (FQDN).
If you want to forward log messages from a specific facility only, let's say
kernel facility, then you can use the following statement in your
rsyslog configuration file.
kern.* @192.168.1.25:514
On CentOS 7:
# systemctl restart rsyslog.service
On CentOS 6:
# service rsyslog restart
In another scenario, let's assume that you have installed an application named "foobar" on your machine, which generates logs to
/var/log/foobar.log file. Now you want to direct only its logs to a remote rsyslog server. This can be achieved by loading
imfile module in the
rsyslog configuration as follows.
First load the
imfile module. This must be done just once.
module(load="imfile" PollingInterval="5")
Then specify the path to the log file that the
imfile module should monitor:
input(type="imfile"
File="/var/log/foobar.log"
Tag="foobar"
Severity="error"
Facility="local7")
Finally, direct
local7 facility to the remote
rsyslog server:
local7.* @192.168.1.25:514
Don't forget to restart
rsyslog daemon.
Step Three: Enable
Rsyslog Daemon to Auto-start
To automatically start
rsyslog client after every system reboot, run the following command to enable it system-wide:
On CentOS 7:
# systemctl enable rsyslog.service
On CentOS 6:
# chkconfig rsyslog on
SummaryHere, I demonstrated how to turn a CentOS system into
rsyslog client to force it to send its log messages to a remote
rsyslog server. Here I assume that the connection between a
rsyslog client and
rsyslog server is secure (e.g., within the corporate network protected by a firewall). Under any circumstances do not configure a
rsyslog client to forward log messages over insecure networks or, especially, over the Internet as the
syslog protocol is a clear-text protocol. For secure transmission, consider encrypting
syslog messages using
TLS/SSL.
# * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * # * #