What are the steps to set up a centralized syslog server using rsyslog on CentOS?

12 June 2024

When it comes to maintaining the integrity and efficiency of your systems, logging is an essential task that you shouldn't overlook. Logging is more than just keeping track of what your system is doing. It is a crucial aspect of system administration, as it helps identify and troubleshoot potential problems before they escalate into major issues. One of the widely used logging systems is syslog, and in this walkthrough, you will learn how to set up a centralized syslog server using rsyslog on CentOS.

What is Rsyslog?

Before delving into the steps to set up a centralized syslog server, it's critical to understand what rsyslog is. Rsyslog is an open-source software utility utilized on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It's built with powerful features that offer benefits such as reliability, encryption, and the ability to filter on any part of the syslog message.

The program is designed to work with different kinds of systems, from local logs on a single computer to logging for large-scale network systems. Its architecture, which is based on templates, also allows for the easy reformatting of log messages before being sent to a remote log server.

Setting Up the Centralized Rsyslog Server

Now that we have a clear understanding of what rsyslog is, let's dive into the steps needed to set up a centralized syslog server on CentOS.

1. Installing Rsyslog

The first step is to install rsyslog on your server. CentOS 7 and later versions come with rsyslog installed by default. However, if it's not installed, you can do so by running the following command:

yum install rsyslog -y

After installation, you will need to start the rsyslog service and enable it to start on boot by executing these commands:

systemctl start rsyslog
systemctl enable rsyslog

2. Configuring Rsyslog on the Server

After starting the rsyslog service, the next step is to configure it to accept logs from remote clients. Open the rsyslog configuration file (/etc/rsyslog.conf) in your preferred text editor:

vi /etc/rsyslog.conf

Scroll down and find these lines:

# provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

Uncomment these lines by removing the # at the beginning of each line. This change will enable rsyslog to listen for incoming logs on port 514, both for UDP and TCP.

Save and close the file, then restart rsyslog to apply your changes.

systemctl restart rsyslog

3. Creating Templates for Log Files

The next step is to create templates for your log files. This will determine the format and location of the logs that rsyslog will write on the server.

Again, open the rsyslog configuration file (/etc/rsyslog.conf):

vi /etc/rsyslog.conf

After that, define your templates at the bottom of the file. For instance, you can create a template that logs messages to a directory based on the client's hostname:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs

The %HOSTNAME% variable will be replaced with the client's hostname, while %PROGRAMNAME% will be replaced with the name of the service or app sending the log message.

Again, save and close the file, then restart rsyslog to apply your changes:

systemctl restart rsyslog

4. Configuring Firewalld to Allow Syslog Traffic

For rsyslog to properly receive logs from remote systems, you need to allow syslog traffic through your firewall. This can be done using the firewalld tool. Run the following commands to open the necessary ports:

firewall-cmd --permanent --add-port=514/tcp
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --reload

At this point, your rsyslog server is ready to receive logs from remote clients. But before it can start logging from remote systems, you need to configure rsyslog on the client systems as well.

Configuring Rsyslog on the Client Systems

The client machines also need to be configured to send their logs to the centralized rsyslog server. Here's how you do it:

1. Installing Rsyslog

Just like on the server, the first step is to ensure that rsyslog is installed on your client machine. If it's not, use the yum install command mentioned previously to install it.

2. Configure Rsyslog to Send Logs to Server

To configure rsyslog on the client system to send logs to your centralized rsyslog server, open the configuration file (/etc/rsyslog.conf) and add a line at the end of the file:

*.* @server_ip:514

Replace server_ip with the IP address of your rsyslog server. The @ symbol denotes that logs should be sent using UDP. If you want to use TCP, replace @ with @@.

Save and close the file, then restart rsyslog:

systemctl restart rsyslog

After this, your client machine is configured to send its logs to the centralized rsyslog server. Repeat this process for all other client systems that you want to send logs to your centralized server.

Testing Your Centralized Rsyslog Server

After setting up your server and client systems, it's crucial that you test them to ensure that logs are being sent and received correctly. There are several ways to do this, but the simplest way is to use the logger command, which can generate a test log message.

For instance, on a client machine, you can run:

logger Test log from client

Then, on the server, you should see a new log file in the /var/log directory with the client's hostname. Inside, you'll find the test log message you just sent.

In conclusion, setting up a centralized rsyslog server might seem like a daunting task, but with the right steps and understanding, it's pretty straightforward. And once you have it set up, the benefits are immense. It allows you to manage logs from multiple systems in a central location, making log management more efficient and manageable.

Securing Your Centralized Rsyslog Server

Securing your rsyslog server is as crucial as setting it up. This section will guide you on how to add an extra layer of security by encrypting your log data and using the Transport Layer Security (TLS) protocol.

1. Generate Certificates

Firstly, you have to generate the certificates to be used for encryption. You can use OpenSSL to generate the required certificates. To install OpenSSL, run the following command:

yum install openssl

Next, create a private key and a self-signed certificate:

openssl genrsa -out /etc/rsyslog.d/ca.key 2048
openssl req -x509 -new -nodes -key /etc/rsyslog.d/ca.key -sha256 -days 1024 -out /etc/rsyslog.d/ca.crt

These commands will create a new private key (ca.key) and a self-signed certificate (ca.crt) in the /etc/rsyslog.d/ directory.

2. Configure Rsyslog for TLS

To configure rsyslog to use TLS, open the rsyslog configuration file (/etc/rsyslog.conf) and add the following lines:


This configuration allows rsyslog service to load the imtcp module with the gtls driver, which enables the use of TLS.

3. Restart Rsyslog

After modifying the configuration file, restart the rsyslog service:

systemctl restart rsyslog

With these steps, your rsyslog server now uses TLS encryption to protect log data during transmission. Remember, security is paramount; therefore, never overlook it when setting up your centralized logging server.

Setting up a centralized syslog server using rsyslog on CentOS offers numerous benefits, especially for large-scale network systems. It not only centralizes your logging but also improves reliability, filtering, and efficiency of your log management tasks. Remember to secure your server by enabling TLS encryption for your log data. In addition, always test your setup to ensure that logs are properly sent and received. With this guide, you now have all the necessary steps to confidently setup, secure, and manage your centralized rsyslog server.