In this tutorial, we are going to explain step by step how to install a Rsyslog log server on Linux systems.
What is Rsyslog?
Rsyslog (rocket-fast system for log) is a utility designed to offer high performance, excellent security features and a modular design that can be scaled to meet the needs of the company.
Rsyslog can accept inputs from a wide variety of sources, transform them and generate results for different destinations, optimizing IT management.
Install & Verify Status of Rsyslog
The Rsyslog daemon is installed automatically in most Linux distributions, but if not, we must execute the following commands:
In Debian systems
sudo apt-get install Rsyslog
On RedHat or CentOS systems
sudo yum install Rsyslog
We can verify the current status of Rsyslog by running the next line:
On Linux distributions that use Systemd
systemctl status rsyslog.service
In old versions of Linux
service rsyslog status /etc/init.d/rsyslog status
In case the status of the Rsyslog service is inactive, we can start it by executing the following:
New versions of Linux
systemctl start rsyslog.service
Od versions of Linux
service rsyslog start /etc/init.d/rsyslog start
Configure Rsyslog
To configure a rsyslog program to be run in server mode, we must edit the configuration file in the /etc/rsyslog.conf directory.
We can access using the desired editor:
sudo nano /etc/rsyslog.conf
There we will make the following changes. Locate and uncomment, removing the sign (#), from the following lines to allow the reception of UDP registration messages on port 514. By default, the UDP port is used by syslog to send and receive messages:
$ModLoad imudp $UDPServerRun 514
The UDP protocol is not reliable for exchanging data over a network, so we can configure Rsyslog to send log messages to a remote server through the TCP protocol. To enable the TCP reception protocol, we will eliminate the following lines:
$ModLoad imtcp $InputTCPServerRun 514
This will allow the rsyslog daemon to bind and listen on a TCP socket on port 514.
Both protocols can be enabled in rsyslog to run simultaneously on Linux.
If it is necessary to specify which senders are allowed access to the rsyslog daemon, we must add the following lines:
$AllowedSender TCP, 127.0.0.1, 192.168.0.5/24, *.domain.com
At this point, it will be required to create a new template which will be analyzed by rsyslog daemon before receiving the incoming records.
This template should tell the local Rsyslog server where to store the incoming log messages. This template will go after the $ AllowedSender line:
$template Incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?Incoming-logs & ~
To register only the messages generated by kern, we will add the following. With the above, the received records are analyzed by the template and will be stored in the local file system in the / var/log / directory, in the path:% HOSTNAME% and% PROGRAMNAME%.
kern.* ?Incoming-logs
Save the changes using the following key combination Ctrl + O and exit the editor using Ctrl + X.
Restart-Service & verify Rsyslog Ports
When we make some change we must restart the service by executing one of the following options:
sudo service rsyslog restart sudo systemctl restart Rsyslog
To check the ports used by Rsyslog, we will run the following:
sudo netstat –tulpn | grep rsyslog
As we have indicated, the port handled will be 514, we must enable it in the firewall for use with the following lines.
On RedHat and CentOS
firewall-cmd --permanent --add-port=514/tcp firewall-cmd –reload
On Debian
ufw allow 514/tcp ufw allow 514/udp
If we use IPTables:
iptables -A INPUT -p tcp -m tcp --dport 514 -j ACCEPT iptables -A INPUT -p udp --dport 514 -j ACCEPT
In this way, we have installed Rsyslog in Linux for the management of the various types of records that are generated continuously in it.
