Scenario:
Syslog Server: server.example.com
Client Server: client.example.com
Syslog Server Setup:
[root@syslog ~]# yum install -y rsyslog
Next, we need to tell rsyslog to accept remote TCP and UDP syslog requests.
At the top of the file “/etc/rsyslog.conf”, at the top of the file, change the below lines:
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
to this
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Once you have saved your changes, restart the rsyslog service
[root@syslog ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@syslog ~]#
Lastly, you’ll need to open the syslog ports on your local firewall.
[root@syslog ~]# iptables -I INPUT -p tcp --dport 514 -j ACCEPT
[root@syslog ~]# iptables -I INPUT -p udp --dport 514 -j ACCEPT
[root@syslog ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@syslog ~]#
That’s it for the server side configuration. Now we need to point some clients to your new syslog server.
Syslog Client Setup:
Firstly, make sure rsyslog is installed.
[root@server01 ~]# yum install rsyslog
Next, we need to point our server to the new syslog installation
Edit “/etc/rsyslog.conf” and under the #### RULES #### section, add the below line to enable ALL syslog events to be sent to the remote server:
*.* @server.example.com:514
*.* @@server.example.com:514
If you wish to, for example, only send mail logs to the syslog server, you would add the below line.
mail.* @syslog.example.com
Once you save your changes, restart your rsyslog service
[root@server01 ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
[root@server01 ~]#
As always, with any implementation, you should always test your changes to make sure it has worked.
To check your settings, tail all the logs on your syslog server as follows
[root@syslog ~]# tail -f /var/log/*
Next, you will need to trigger an event on your client system which will send its logs to Syslog.
For example, installing something via yum. For this purpose, I have run “yum install vsftpd”
You will see the below appear in the logs on your syslog server.
==> /var/log/messages <==
Aug 18 19:15:25 server01 yum[8804]: Installed: vsftpd-2.2.2-11.el6.x86_64
If your logs have appeared, then you have configured your server and client correctly and remote logging is working successfully.
You will notice that your system’s hostname will appear in the remote logs. Here it is seen as “server01″. This will identify which logs are coming from which server.
Note:
On the new machines just pass the kernel argument "linux syslog=ip-of-log-server:514" and now if you check the /var/log/messages file on the log server. You will be getting updates about the installation process on new machine.
GUI utility for viewing RHEL 6 system log:
This package is not available in RHEL6 dvd , so you need to register your system with RHN account and then subscribe “RHEL EUS Server Optional (v. 6.3.z 64-bit x86_64) “ in alter channel subscription. Then click “change channel” & then “modify base channel”.
To view system log files in an interactive, real-time application, use the Log File Viewer:
#yum install gnome-system-log
After you have installed the gnome-system-log package, you can open the Log File Viewer by clicking on Applications → System Tools → Log File Viewer, or type the following command at a shell prompt:
#gnome-system-log
Reference link:
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-logfiles-viewing.html
No comments:
Post a Comment