Rocky 9.x Setup rsyslog server for accepting remote device logs

From Notes_Wiki

Home > Rocky Linux or CentOS > Rocky Linux 9.x > Syslog servers > rsyslog server > Setup rsyslog server for accepting remote device logs

To setup a new rsyslog server on Rocky 9.x use:

  1. Install rsyslog package via: 
    dnf -y install rsyslog
  2. Disable SELinux (setenforce 0, edit /etc/sysconfig/selinux)
  3. Disable firewall 
    systemctl stop firewalld
    

    systemctl disable firewalld
    Ideally we should configure firewall to allow incoming UDP/514 packets instead of disabling it. See CentOS 8.x firewalld
  4. Edit '/etc/rsyslog.conf' file to uncomment below lines: 
    module(load="imudp") # needs to be done just once
    

    input(type="imudp" port="514")
  5. At the end of '/etc/rsyslog.conf' file append: 
    $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

authpriv.*      ?TmplAuth
*.info,mail.none,authpriv.none,cron.none   ?TmplAuth
  6. (Re)start rsyslog and enable it using: 
    systemctl restart rsyslog
    

    systemctl enable rsyslog
  7. Configure a switch / firewall or other appropriate device to send logs to this server in syslog format over UDP 514 port.
  8. Go to '/var/log' folder and look for hostnamed based logs. For each remote host a folder gets created such as '/var/log/<host1>/<program1>' and logs get stored in the files.


There is older article on this at Installing rsyslog from yum repository

Home > Rocky Linux or CentOS > Rocky Linux 9.x > Syslog servers > rsyslog server > Setup rsyslog server for accepting remote device logs

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Rocky_9.x_Setup_rsyslog_server_for_accepting_remote_device_logs&oldid=7955"