Comprehensive Guide To Configure Rsyslog in AlmaLinux 8/9

By Posted on

Comprehensive Guide To Configure Rsyslog in AlmaLinux 8/9

Comprehensive Guide To Configure Rsyslog in AlmaLinux 8/9

This tutorial aims to guide you on how to install and configure Rsyslog in AlmaLinux, effectively setting up system logging on your AlmaLinux server. This guide is applicable to both AlmaLinux 8 and AlmaLinux 9. Let’s delve into Rsyslog and learn how to Configure Rsyslog in AlmaLinux with the following steps.

What Is Rsyslog in Linux?

Rsyslog (Rocket-fast System for log processing) is a powerful logging utility in Linux designed for high performance and robust security. It’s the default system logging daemon in many Linux distributions.

Follow the steps below to enable this tool and Configure Rsyslog in AlmaLinux.

Before you begin to Configure Rsyslog in AlmaLinux, you’ll need access to your server as a non-root user with sudo privileges and a basic firewall setup. Refer to AlmaLinux tutorials for initial server setup guides if needed.

Then, follow these steps to Configure Rsyslog in AlmaLinux.

Step 1 – Check if Rsyslog is Installed

First, check if Rsyslog is already installed on your server using the following command:

sudo systemctl status rsyslog

In some cases, you might see an output like this:

**Output**
Unit rsyslog.service could not be found.

This indicates that Rsyslog is not installed, and we need to proceed with the installation and enabling of the service.

Step 2 – Command To Install Rsyslog in AlmaLinux

Use the following command to install Rsyslog on your AlmaLinux system:

sudo dnf install rsyslog -y

The output should be similar to this:

**Output**
Installed:
  libestr-0.1.11-4.el9.x86_64       libfastjson-0.99.9-3.el9.x86_64
  rsyslog-8.2102.0-113.el9_2.x86_64 rsyslog-logrotate-8.2102.0-113.el9_2.x86_64

Complete!

Step 3 – Enable Rsyslog in AlmaLinux

After the installation is complete, start and enable the Rsyslog service using these commands:

# sudo systemctl enable rsyslog
# sudo systemctl start rsyslog

Verify that Rsyslog is active and running:

sudo systemctl status rsyslog

[Image of Rsyslog Status service on AlmaLinux]

Now, let’s explore how to Configure Rsyslog in AlmaLinux to send logs to another Rsyslog host over a TCP or UDP connection. This provides a centralized location for log management.

Step 4 – Configure Rsyslog for Remote Logging over TCP

To Configure Rsyslog in AlmaLinux for remote logging, you need to configure both the server and client to use TCP logging.

Configure AlmaLinux Server TCP Remote Logging

First, choose a different TCP port and allow it through the firewall:

# sudo firewall-cmd --zone=public --permanent --add-port=<mark>30514</mark>/tcp 
# sudo firewall-cmd --reload

Allow the port through SELinux:

sudo semanage port -a -t syslogd_port_t -p tcp 30514

Create a file in the /etc/rsyslog.d directory using your preferred text editor (e.g., vi):

sudo vi /etc/rsyslog.d/remotelog.conf

Add the following content to the file:

# Define templates before the rules that use them
# Per-Host templates for remote systems
template(name="TmplAuthpriv" type="list") {
    constant(value="/var/log/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

# Provides TCP syslog reception
module(load="imtcp")

# Adding this ruleset to process remote messages
ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none
action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="<mark>30514</mark>" ruleset="remote1")

Save and close the file.

Check for Rsyslog syntax errors:

rsyslogd -N 1

The output should look like this:

[Image of check for the Rsyslog syntax error]

Restart the Rsyslog service to apply the changes:

sudo systemctl restart rsyslog

Configure a Client for TCP Remote Logging

On the client machine, install and enable the Rsyslog service as described above. Open the TCP port on the client machine for remote logging.

Create a Rsyslog file on the client machine:

sudo vi /etc/rsyslog.d/remotelog.conf

Add the following content to the file:

*.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="example_fwd"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="orcacore.com" port="30514" protocol="tcp"
     )

Save and close the file. The target specifies the server and port for receiving the messages.

Restart the Rsyslog service on the client machine:

sudo systemctl restart rsyslog

Send a Test Message and Verify it from the Server

Send a test message from the client’s machine:

sudo logger test

On the AlmaLinux server, verify that the message has been received:

sudo cat /var/log/remote/msg/hostname/root.log

Note: Replace hostname with the hostname of the client system, and root with the username of the user that entered the logger command on the client.

Step 5 – Configure Rsyslog for Remote Logging over UDP

You can also configure logging via UDP. By default, port 514 is used for UDP, but you can configure a different port, as we did for TCP.

The configuration steps are the same as TCP. Just use the UDP port instead of TCP.

That’s it! For more information, visit Rsyslog Documentation.

What is the configuration file for Rsyslog in Linux?

The main configuration file for Rsyslog is /etc/rsyslog.conf. From there, you can specify global directives, modules, and rules consisting of filter and action parts.

Conclusion

You have now learned to install, enable, and Configure Rsyslog in AlmaLinux. You’ve also configured Rsyslog for remote logging over TCP and UDP on both the client and server.

Alternative Solutions for Centralized Logging

While Rsyslog is a robust solution, alternative methods exist for centralized logging in AlmaLinux. Here are two different approaches:

1. Using the Elastic Stack (ELK): Elasticsearch, Logstash, and Kibana

The ELK stack is a popular choice for centralized logging, offering powerful search, analysis, and visualization capabilities.

  • Elasticsearch: A distributed, RESTful search and analytics engine.
  • Logstash: A data processing pipeline that ingests logs, transforms them, and sends them to Elasticsearch.
  • Kibana: A visualization dashboard for exploring and visualizing data in Elasticsearch.

Explanation:

Instead of directly forwarding logs to another Rsyslog instance, you would configure Rsyslog on your client machines to forward logs to Logstash. Logstash then processes these logs, potentially enriching them with additional data, and sends them to Elasticsearch. Kibana allows you to create dashboards and visualizations to analyze the log data stored in Elasticsearch.

Configuration Example (Simplified Logstash Configuration):

input {
  syslog {
    port => 5140 # Choose a port for Rsyslog forwarding
    type => "system"
  }
}

filter {
  grok {
    match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:hostname} %{DATA:program}: %{GREEDYDATA:message}" }
  }
  date {
    match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"] # Elasticsearch server address
    index => "system-%{+YYYY.MM.dd}"
  }
}

This example shows a basic Logstash configuration that listens for syslog messages on port 5140, parses the messages using a Grok filter, and sends them to Elasticsearch. On the client side you would configure rsyslog to forward to this port.

This approach offers advanced features like:

  • Scalability: The ELK stack is designed to handle large volumes of log data.
  • Powerful Search: Elasticsearch provides powerful search capabilities for quickly finding specific log entries.
  • Data Analysis: Kibana allows you to create dashboards and visualizations to analyze log data and identify trends.

2. Using Graylog

Graylog is another open-source log management platform that offers similar functionality to the ELK stack, but with a more user-friendly interface and a more integrated approach.

Explanation:

Graylog provides a central server that collects, processes, and stores log data. You can configure Rsyslog on your client machines to forward logs to the Graylog server. Graylog then provides a web interface for searching, analyzing, and visualizing the log data.

Configuration Example (Rsyslog Client Configuration):

*.* @graylog-server:514;RSYSLOG_SyslogProtocol23Format

Replace graylog-server with the hostname or IP address of your Graylog server. This configuration tells Rsyslog to forward all log messages to the Graylog server using UDP on port 514, formatted using the RSYSLOG_SyslogProtocol23Format.

Graylog offers advantages like:

  • Ease of Use: Graylog provides a user-friendly web interface for managing log data.
  • Centralized Management: Graylog provides a single platform for collecting, processing, and storing log data.
  • Alerting: Graylog allows you to set up alerts based on specific log events.

Both the ELK stack and Graylog offer more advanced features than a simple Rsyslog-to-Rsyslog setup, but they also require more setup and maintenance. The choice depends on your specific needs and the complexity of your environment.

Related posts:

Leave a Reply

Your email address will not be published. Required fields are marked *