rsyslog Remote Login Configuration Guide with Example iptables

rsyslog Remote Login Configuration:

1. On the Client System:

# yum install rsyslog

Add the following lint (server ip, port) in the existing config file.
#vim /etc/rsyslog.conf

*.* @masterserverip:514     (Enables UDP forwarding)
*.* @@masterserverip:514     (Enables TCP forwarding, You can use any one protocol )

 

#service rsyslog restart

Example Client Server rsyslog.conf file:

$ModLoad imuxsock.so
$ModLoad imklog.so
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.* @masterserverip:514
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

2. Rsyslog Master Log Server Configuration:

# yum install rsyslog  rsyslog-mysql

#vim /etc/rsyslog.conf

Example Log Server Config File:

# Add your Client server IP or IP Range
$AllowedSender UDP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad immark.so
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

Save the file and restart the service

#service rsyslog restart

3. If you want to use different template and log the different server logs in to different directory.
you can add the following in the rsyslog.conf file

Example File 1(Dynamic Logfile):

# Add your Client server IP or IP Range
$AllowedSender UDP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad immark.so
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$template DynFile,”/var/log/%HOSTNAME%/%programname%.log”
*.* ?DynFile

Example File 2 (Manual User Defined Log Files):

# Add your Client server IP or IP Range
$AllowedSender UDP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 10.5.0.0/16, 192.168.1.0/24
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad immark.so
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template Auth, “/var/log/%HOSTNAME%/secure.log”
# Log anything (except mail and cron) of level info or higher.
$template MSG, “/var/log/%HOSTNAME%/messages”
# Log all the mail messages in one place.
$template mail, “/var/log/%HOSTNAME%/maillog”
# Log cron stuff
$template cron, “/var/log/%HOSTNAME%/cron”
# Save news errors of level crit and higher in a special file.
$template spool, “/var/log/%HOSTNAME%/spooler”
# Save boot messages also to boot.log
$template boot, “/var/log/%HOSTNAME%/boot.log”
# Save kern messages also to console
$template kern, “/var/log/%HOSTNAME%/kernal”
# Everybody gets emergency messages
$template emerg, “/var/log/%HOSTNAME%/emerg”
#Save doemon message in daemon.log
$template daemon, “/var/log/%HOSTNAME%/daemon.log”
#Save news message in news.log
$template news, “/var/log/%HOSTNAME%/news.log”
#Save User log messages
$template user, “/var/log/%HOSTNAME%/user.log”
#Save Wrapper messages
$template local, “/var/log/%HOSTNAME%/tcpwrapper.log”
#Save dmesg message
$template all, “/var/log/%HOSTNAME%/all”
authpriv.* ?Auth
*.info,mail.none,authpriv.none,cron.none ?MSG
mail.* ?mail
cron.* ?cron
news.crit ?spool
local7.* ?boot
kern.* ?kern
*.emerg ?emerg
user.* ?user
daemon.*,daemon,daemon.notice,daemon.err ?daemon
news.* ?news
*.* ?all

4. If you want to save the log file in to cacti syslog mysql database

Add the following lined at the end of rsyslog.conf

$ModLoad ommysql
$template cacti_syslog,”INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%, ‘%timereported:::date-mysql%’, ‘%timereported:::date-mysql%’, ‘%HOSTNAME%’, ‘%msg%’)”, SQL
*.*     >dbserverip,db_name,db_username,db_password;cacti_syslog

5. IP Tables Config:
add the following port in the /etc/sysconfig/iptables file ( This is only required in the syslog server)

-A INPUT -p udp -m udp –dport 514 -j ACCEPT

Or for TCP

-A INPUT -p tcp -m tcp –dport 514 -j ACCEPT

Leave a Reply

Your email address will not be published. Required fields are marked *