The rsyslog service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See Example25.12, “Reliable Forwarding of Log Messages to a Server” for information on client rsyslog configuration.
The rsyslog service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in RedHat EnterpriseLinux6. If required, to ensure that it is, enter the following command as root:
~]#yum install rsyslogThe default protocol and port for syslog traffic is UDP and 514, as listed in the /etc/services file. However, rsyslog defaults to using TCP on port 514. In the configuration file, /etc/rsyslog.conf, TCP is indicated by @@.
Other ports are sometimes used in examples, however SELinux is only configured to allow sending and receiving on the following ports by default:
~]# semanage port -l | grep syslogsyslogd_port_t tcp 6514, 601syslogd_port_t udp 514, 6514, 601 The semanage utility is provided as part of the policycoreutils-python package. If required, install the package as follows:
~]# yum install policycoreutils-pythonIn addition, by default the SELinux type for rsyslog, rsyslogd_t, is configured to permit sending and receiving to the remote shell (rsh) port with SELinux type rsh_port_t, which defaults to TCP on port 514. Therefore it is not necessary to use semanage to explicitly permit TCP on port 514. For example, to check what SELinux is set to permit on port 514, enter a command as follows:
~]# semanage port -l | grep 514output omittedrsh_port_t tcp 514syslogd_port_t tcp 6514, 601syslogd_port_t udp 514, 6514, 601For more information on SELinux, see RedHat EnterpriseLinux6 SELinux User Guide.
Perform the steps in the following procedures on the system that you intend to use as your logging server. All steps in these procedure must be made as the root user.
Procedure25.5.Configure SELinux to Permit rsyslog Traffic on a Port
If required to use a new port for rsyslog traffic, follow this procedure on the logging server and the clients. For example, to send and receive TCP traffic on port 10514, proceed as follows:
~]#
semanage port -a -t syslogd_port_t -p tcp 10514Review the SELinux ports by entering the following command:
~]#
semanage port -l | grep syslogIf the new port was already configured in
/etc/rsyslog.conf, restartrsyslognow for the change to take effect:~]#
service rsyslog restartVerify which ports
rsyslogis now listening to:~]#
netstat -tnlp | grep rsyslogtcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 2528/rsyslogdtcp 0 0 :::10514 :::* LISTEN 2528/rsyslogd
See the semanage-port(8) manual page for more information on the semanage port command.
Procedure25.6.Configuring The iptables Firewall
Configure the iptables firewall to allow incoming rsyslog traffic. For example, to allow TCP traffic on port 10514, proceed as follows:
Open the
/etc/sysconfig/iptablesfile in a text editor.Add an
INPUTrule allowingTCPtraffic on port10514to the file. The new rule must appear before anyINPUTrules thatREJECTtraffic.-A INPUT -m state --state NEW -m tcp -p tcp --dport 10514 -j ACCEPT
Save the changes to the
/etc/sysconfig/iptablesfile.Restart the
iptablesservice for the firewall changes to take effect.~]#
service iptables restart
Procedure25.7.Configuring rsyslog to Receive and Sort Remote Log Messages
Open the
/etc/rsyslog.conffile in a text editor and proceed as follows:Add these lines below the modules section but above the
Provides UDP syslog receptionsection:# Define templates before the rules that use them### Per-Host Templates for Remote Systems ###$template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"$template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
Replace the default
Provides TCP syslog receptionsection with the following:# Provides TCP syslog reception$ModLoad imtcp# Adding this ruleset to process remote messages$RuleSet remote1authpriv.* ?TmplAuthpriv*.info;mail.none;authpriv.none;cron.none ?TmplMsg$RuleSet RSYSLOG_DefaultRuleset #End the rule set by switching back to the default rule set$InputTCPServerBindRuleset remote1 #Define a new input and bind it to the "remote1" rule set$InputTCPServerRun 10514
Save the changes to the
/etc/rsyslog.conffile.The
rsyslogservice must be running on both the logging server and the systems attempting to log to it.Use the
servicecommand to start thersyslogservice.~]#
service rsyslog startTo ensure the
rsyslogservice starts automatically in future, enter the following command as root:~]#
chkconfig rsyslog on
Your log server is now configured to receive and store log files from the other systems in your environment.
25.6.1.Using The New Template Syntax on a Logging Server
Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
template(name="TmplAuthpriv" type="string" string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" )template(name="TmplMsg" type="string" string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log" )
These templates can also be written in the list format as follows:
template(name="TmplAuthpriv" type="list") { constant(value="/var/log/remote/auth/") property(name="hostname") constant(value="/") property(name="programname" SecurePath="replace") constant(value=".log") }template(name="TmplMsg" type="list") { constant(value="/var/log/remote/msg/") property(name="hostname") constant(value="/") property(name="programname" SecurePath="replace") constant(value=".log") }This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.
To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:
module(load="imtcp")ruleset(name="remote1"){ authpriv.* action(type="omfile" DynaFile="TmplAuthpriv") *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")}input(type="imtcp" port="10514" ruleset="remote1")