Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.
Configuring Syslog CentOS
- Customer Success & Engineering (Unlicensed)
Overview
On a CentOS/RHEL 7 system, Rsyslog daemon is the main log server preinstalled, followed by Systemd Journal Daemon (journald).
Rsyslog server is built as a client/server architecture service and can simultaneously achieve both roles. It can run as a server and collect all logs transmitted by other devices in the network or it can run as a client by sending all internal system events logged to a remote endpoint Syslog server.
When rsyslog is configured as a client, the logs can be stored locally in files on the local filesystem or can be sent remotely rather than written in files stored on the machine or write events log files locally and send them to a remote Syslog server at the same time.
Prerequisites
Seceon CCE should be installed.
Allow the Syslog UDP Port 514 in the firewall
Configuring CentOS to forward logs to EventTracker - Seceon CCE
By default, the Rsyslog service is automatically installed and should be running in CentOS/RHEL 7. In order to check if the daemon is started in the system, issue the following command with root privileges.
# systemctl status rsyslog.service
If the service is not running by default, execute the below command in order to start the rsyslog daemon.
# systemctl start rsyslog.service
If the rsyslog package is not installed on the system that you intend to use as a centralized logging server, issue the following command to install the rsyslog package.
yum install rsyslog
The first step that we need to do on the system in order to configure the rsyslog daemon as a centralized log server, so it can receive log messages for external clients, is to open and edit, using your favourite text editor, the main configuration file from /etc/rsyslog.conf, as presented in the below excerpt.
vi /etc/rsyslog.conf
In the rsyslog main configuration file, search and uncomment the following lines (remove the hashtag # sign at the line beginning) in order to provide UDP transport reception to the Rsyslog server via the 514 port. UDP is the standard protocol used for log transmission by Rsyslog.
$ModLoad imudp
$UDPServerRun 514
UDP protocol does not have the TCP overhead, which makes it faster for transmitting data than TCP protocol. On the other hand, the UDP protocol does not assure the reliability of transmitted data.
However, if you need to use TCP protocol for log reception you must search and uncomment the following lines from the “/etc/rsyslog.conf” file in order to configure the Rsyslog daemon to bind and listen to a TCP socket on the 514 port. TCP and UDP listening sockets for the reception can be configured on a Rsyslog server simultaneously.
$ModLoad imtcp
$InputTCPServerRun 514 In the next step, don’t close the file yet, create a new template that will be used for receiving remote messages. This template will instruct the local Rsyslog server where to save the received messages send by Syslog network clients. The template must be added before the beginning of the GLOBAL DIRECTIVES block as illustrated in the below excerpt.
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
. ?RemoteLogs & ~
The above $template RemoteLogs directive instructs the Rsyslog daemon to collect and write all of the received log messages to distinct files, based on the client machine name and remote client facility (application) that generated the messages based on the defined properties presents in the template configuration: %HOSTNAME% and %PROGRAMNAME%.
All these log files will be written to the local filesystem to a dedicated file named after the client machine’s hostname and stored in the “/var/log/ directory”.
The & ~ redirect rule instructs the local Rsyslog server to stop processing the received log message further and discard the messages (not write them to internal log files).
The RemoteLogs name is an arbitrary name given to this template directive. You can use whatever name you can find best suited for your template.
In order to write all received messages from clients in a single log file named after the IP Address of the remote client, without filtering the facility that generated the message, use the below excerpt.
$template FromIp,"/var/log/%FROMHOST-IP%.log"
. ?FromIp & ~Another example of a template where all messages with auth facility flag will be logged to a template named “TmplAuth“.
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuthBelow is an excerpt from a template definition from Rsyslog 7 server:
template(name="TmplMsg" type="string"
string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
)The above template excerpt can also be written as:
template(name="TmplMsg" type="list") {
constant(value="/var/log/remote/msg/")
property(name="hostname")
constant(value="/")
property(name="programname" SecurePath="replace")
constant(value=".log")
}To write complex Rsyslog templates, read the Rsyslog configuration file manual by issuing man rsyslog.conf command or consult Rsyslog online documentation.
After you’ve edited the Rsyslog configuration file with your own settings as explained above, restart the Rsyslog daemon in order to apply changes by issuing the following command:
# service rsyslog restart
By now, the Rsyslog server should be configured to act as a centralized log server and record messages from Syslog clients. To verify Rsyslog network sockets, run netstat command with root privileges and use grep to filter the rsyslog string.
# netstat -tulpn | grep rsyslog
If you have SELinux enabled in CentOS/RHEL 7, issue the following command to configure SELinux to allow rsyslog traffic depending on network socket type.
# semanage -a -t syslogd_port_t -p udp 514
# semanage -a -t syslogd_port_t -p tcp 514 If the firewall is enabled and active, run the below command in order to add the necessary rules for opening rsyslog ports in Firewalld.
# firewall-cmd --permanent --add-port=514/tcp
# firewall-cmd --permanent --add-port=514/udp
# firewall-cmd –reloadThat’s all! Rsyslog is now configured in server mode and can centralize logs from remote clients.
Note: Enabling the audit logs results in a huge amount of logs, which can impact performance.
Verification Steps
On the source system, test if messages are being sent to the remote log host with the logger command:
# logger -p daemon.warn "this is a test"
then check the /var/adm/messages file on the remote loghost for the test message:
# tail /var/adm/messages
On CCE Device, execute the following command to confirm that logs are coming for the processing.
# Ping <IPAddress of CentOS System>
# sudo tcpdump -i any port 514 and host <IPAddress> -AAA
Seceon Inc. All rights reserved. https://www.seceon.com