Difference between revisions of "Installing rsyslog from yum repository"
From Notes_Wiki
m |
m |
||
| Line 1: | Line 1: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Rsyslog configuration]] > [[Installing rsyslog from yum repository|Installing rsyslog server in CentOS]] | |||
=Configure rsyslog server= | |||
To install rsyslog use following steps: | To install rsyslog use following steps: | ||
#<tt>yum -y install rsyslog</tt> | #<tt>yum -y install rsyslog</tt> | ||
| Line 31: | Line 30: | ||
=Configure rsyslog client= | |||
After configuring rsyslog server, configure remote machines to send logs to rsyslog server using: | After configuring rsyslog server, configure remote machines to send logs to rsyslog server using: | ||
#Install rsyslog same as in case of server | #Install rsyslog same as in case of server | ||
| Line 49: | Line 48: | ||
Steps learned from http://tecadmin.net/setup-centralized-logging-server-using-rsyslogd/ and contributed by Kiran Kollipara | Steps learned from http://tecadmin.net/setup-centralized-logging-server-using-rsyslogd/ and contributed by Kiran Kollipara | ||
| Line 296: | Line 296: | ||
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Rsyslog configuration]] > [[Installing rsyslog from yum repository|Installing rsyslog server in CentOS]] | |||
Revision as of 08:05, 10 March 2022
Home > CentOS > CentOS 6.x > Rsyslog configuration > Installing rsyslog server in CentOS
Configure rsyslog server
To install rsyslog use following steps:
- yum -y install rsyslog
- Disable SELinux
- Enable incoming UDP port 514 packets
- Edit '/etc/rsyslog.conf' file as follows:
- Append following lines
- $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
- authpriv.* ?TmplAuth
- *.info,mail.none,authpriv.none,cron.none ?TmplAuth
- Uncomment following lines:
- $ModLoad imudp
- $UDPServerRun 514
- Append following lines
- service rsyslog start
- chkconfig rsyslog on
Note if for some reason TCP is preferable then uncomment these two lines for enabling TCP based log reception
#$ModLoad imtcp #$InputTCPServerRun 514
Configure rsyslog client
After configuring rsyslog server, configure remote machines to send logs to rsyslog server using:
- Install rsyslog same as in case of server
- Edit '/etc/rsyslog.conf' file and append following configuration:
- *.* @<server>:<port>
- service rsyslog start
- chkconfig rsyslog on
Note if server is configured to use TCP then use:
*.* @@<server>:<port>
to send logs through TCP instead of UDP. Notice two @@ instead of one.
Steps learned from http://tecadmin.net/setup-centralized-logging-server-using-rsyslogd/ and contributed by Kiran Kollipara
Automated rsyslog server and client configuration
For automated rsyslog server and client configuration using ansible use:
---
- name: This playbook configures rsyslog server
hosts: rsyslog_server
remote_user: root
tasks:
- name: Install rsyslog package
yum: name=rsyslog state=present
# environment: proxy_env
- name: Copy rsyslog configuration to rsyslog server
copy: src=rsyslog_server.conf dest=/etc/rsyslog.conf owner=root group=root mode=644
notify:
- restart rsyslog
- name: Start rsyslog and enable it on startup
service: name=rsyslog state=started enabled=yes
handlers:
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: Configure rsyslog client
hosts: rsyslog_clients
remote_user: root
vars:
rsyslog_server_ips:
- 192.168.122.105
tasks:
- name: Install rsyslog package
yum: name=rsyslog state=present
# environment: proxy_env
- name: Copy rsyslog configuration to rsyslog client
template: src=rsyslog_client.conf dest=/etc/rsyslog.conf owner=root group=root mode=644
notify:
- restart rsyslog
- name: Start rsyslog and enable it on startup
service: name=rsyslog state=started enabled=yes
handlers:
- name: restart rsyslog
service: name=rsyslog state=restarted
The playbook refers to rsyslog_server.conf which should have:
# rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) #$ModLoad immark # provides --MARK-- message capability # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none -/var/log/messages # The authpriv file has restricted access. authpriv.* -/var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* -/var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit -/var/log/spooler # Save boot messages also to boot.log local7.* -/var/log/boot.log # ### begin forwarding rule ### # The statement between the begin ... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/lib/rsyslog # where to place spool files #$ActionQueueFileName fwdRule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ### end of the forwarding rule ### $template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplAuth
Also the playbook refers to 'rsyslog_client.conf' which should have:
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
# The authpriv file has restricted access.
authpriv.* -/var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* -/var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler
# Save boot messages also to boot.log
local7.* -/var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
{% for rsyslog_server in rsyslog_server_ips %}
# start forwarding to {{rsyslog_server}}
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName {{rsyslog_server}} # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @{{rsyslog_server}}:514
# end forwarding to {{rsyslog_server}}
{% endfor %}
Home > CentOS > CentOS 6.x > Rsyslog configuration > Installing rsyslog server in CentOS
