Howto setup Centralize logs using rsyslog


Hasil ngporek dikantor sama bung Heri ( new partner ).... 



Install rsyslog

Download and install rsyslog package from
http://www.rsyslog.com
both for server and client

Enable rsyslog

By default most of Linux Distribution use syslog as their log maintenance, but we will replace the syslog and using rsyslog turn off syslog run level
chkconfig syslog off
shutting down syslog
service syslog stop
set run level for rsyslog
chkconfig --level 234 rsyslog on
check and see run level for rsyslog
chkconfig --list | grep rsyslog
Do this both at server and client or each time you install rsyslog. rsyslog will takeover syslog.

Configuration


Rsyslog Server

At server,
Make mkdir for rsyslog log file
#mkdir /var/log/rsyslog
edit rsyslog config file at
/etc/rsyslog.conf
add some modules and make a template for client log files
$template DailyPerHostLogs,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
$ModLoad imtcp
$InputTCPServerRun 514
run template
*.* -?DailyPerHostLogs;

so the configuration files will like this
Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template DailyPerHostLogs,"/var/log/rsyslog/%HOSTNAME%/%HOSTNAME%.%$YEAR%-%$MONTH%-%$DAY%.log"
$ModLoad imtcp
$InputTCPServerRun 514
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                      /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none     /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                   /var/log/secure
# Log all the mail messages in one place.
mail.*                                      -/var/log/maillog
# Log cron stuff
cron.*                                       /var/log/cron
# Everybody gets emergency messages
*.emerg                                      *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                              /var/log/spooler
# Save boot messages also to boot.log
local7.*                                    /var/log/boot.log
*.* -?DailyPerHostLogs;                                         
Edit another rsyslog file at
/etc/sysconfig/rsyslog.conf
Replace
replace "-m 0" with "-c3"

Rsyslog Client

At client, edit rsyslog config file at
/etc/rsyslog.conf
add tcp module
$ModLoad imtcp
add log server ip and port,
*.* @@192.168.1.200:514
we can define the port,not only using 514, the @@ mark it means the rsyslog will using TCP connection.
so the configuration files will like this
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
$ModLoad imtcp
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                  /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.*                               /var/log/secure
# Log all the mail messages in one place.
mail.*                                  -/var/log/maillog
# Log cron stuff
cron.*                                   /var/log/cron
# Everybody gets emergency messages
*.emerg                                  *
# Save news errors of level crit and higher in a special file.
uucp,news.crit                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                /var/log/boot.log
#Add this line,for send log file to rsyslog server
 *.* @@192.168.1.200:514
Edit another rsyslog file at
/etc/sysconfig/rsyslog.conf
Replace
replace "-m 0" with "-c3"
Then restart rsyslog service
service rsyslog restart

Comments

Popular posts from this blog

authentication failure using SSH pam_unix(sshd:auth): authentication failure;

Howto configure SPLUNK Universal Forwarder

openvpn howto make OCSP server using OpenSSL [Part2]