installing syslog on a red hat server

A client of mine had some serious shortcomings with their network visibility.
One of those lacking items was a solid Syslog server.

When you ask me how should a Syslog server be installed, it’s mostly the same answer.
Either bare, or a virtual machine, but keep your logging on dedicated Linux machines.

Of course, there are always exceptions.

I personally could not care less if it is Ubuntu or Red Hat, as long it’s Linux.
The reason for that is when you work with Linux you can filter certain logging and mail them at your command.

Imagine you create a bash script and tell that bash script to look for certain log messages.
When those log messages are found then tell the script to send an e-mail to you, informing you about X, Y and Z.
Also add some conditions to the equation, if X then Y.
There are no limits to this, only your imagination.

Sure Splunk is cool, and has some serious power, but good luck with buying the licenses.
For many (small and medium) sized business it’s a huge amount of money to spend.
And in many situations the money can be spend on better causes.

A Linux server is free of charge, and when you have it running you have the power to change and implement anything on the spot with regard to log analysis and how you want to be informed.

The downside is that a business needs people with understanding of Linux and bash scripting, but in reality most network engineers do acquire this knowledge at some time in their career.
So I personally wouldn’t consider this a huge downside.

Now let’s begin installing a Syslog Service on a Red Hat Linux server.

First things first.
I am running Red Hat (RHEL Base OS 9.0) on a VM inside VMWare Workstation.
You can download Red Hat Enterprise Linux here for free.

Below you can see the version of Red Hat I am using and what version of rsyslog I’m using.

[dominic@localhost ~]$ hostnamectl
 [SNIP]
    Virtualization: vmware
  Operating System: Red Hat Enterprise Linux 9.0 (Plow)     
       CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
            Kernel: Linux 5.14.0-70.22.1.el9_0.x86_64
      Architecture: x86-64
   Hardware Vendor: VMware, Inc.
[dominic@localhost ~]$ 
[dominic@localhost ~]$ rsyslogd -N1
rsyslogd: version 8.2102.0-101.el9_0.1, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
[dominic@localhost ~]$ 

Now, if you don’t have rsyslog installed yet, do this by running:

[dominic@localhost ~]$ sudo yum install rsyslog

When you have rsyslog installed verify whether rsyslog is running as it should.
If it is not, you can start it with the command sudo systemctl start rsyslog.

[dominic@localhost ~]$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor p>
     Active: active (running) since Sat 2022-08-20 17:35:37 CEST; 12min ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 921 (rsyslogd)
      Tasks: 5 (limit: 23284)
     Memory: 5.9M
        CPU: 150ms
     CGroup: /system.slice/rsyslog.service
             └─921 /usr/sbin/rsyslogd -n

Aug 20 17:35:37 localhost systemd[1]: Starting System Logging Service...
Aug 20 17:35:37 localhost systemd[1]: Started System Logging Service.

Let’s configure the configure file.
The file which needs to be changed resides here: /etc/rsyslog.conf

The lines below need to be uncommented for UDP reception of Syslog over port 514.

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

Next, still working in the file /etc/rsyslog.conf, define a template that allows to control what data should be stored where.
For now, we keep it simple and store all syslog in one place.

Add the following lines under rules.


#### RULES ####

$template remote-incoming-logs, "/var/log/syslog.log"
*.* ?remote-incoming-logs

This configuration is enough for Syslog messages to be saved on your server.
Still, I want some order so I can find my way in all these logs.
Therefore I want to sort syslog messages on a per date basis.

You do this also in the /etc/rsyslog.conf file.
Search for your created template line: “$template remote-incoming-logs, “/var/log/syslog.log”

Now change this too:

$template remote-incoming-logs, "/var/log/network/%$year%-%$month%-%$day%/%HOSTNAME%.log"

This will sort your Syslog by year, month, and day and then create a separate file for each host.
That will definitely give you some order.

When your configuration file is ready and done it is time to reload the syslog deamon.

[dominic@localhost ~]$ sudo systemctl restart rsyslog
[sudo] password for dominic: 
[dominic@localhost ~]$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2022-08-20 18:03:31 CEST; 7s ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 3055 (rsyslogd)
      Tasks: 5 (limit: 23284)
     Memory: 1.0M
        CPU: 6ms
     CGroup: /system.slice/rsyslog.service
             └─3055 /usr/sbin/rsyslogd -n

Aug 20 18:03:31 localhost.localdomain systemd[1]: Starting System Logging Service...
Aug 20 18:03:31 localhost.localdomain systemd[1]: Started System Logging Service.

If you have any problems setting this up then check my guide on how to troubleshoot it.
There are many reasons why this won’t work, but I have sorted almost all of them right here with solutions.

If you have read that post and you still can’t make it work, hit me up and maybe I can help you out.

#

No responses yet

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *