Configure Rsyslog in AlmaLinux

This tutorial intends to teach you to Install and Configure Rsyslog System Logging in the AlmaLinux server. You can use both AlmaLinux 8 and AlmaLinux 9. Now let’s get familiar with Rsyslog and what it means.

What Is Rsyslog in Linux?

Rsyslog (Rocket-fast System for log processing) is a tool in Linux that is used for message logging. It has high performance and ships with excellent security.

Now follow the steps below to enable this amazing tool and work with it on AlmaLinux.

Steps To Configure Rsyslog in AlmaLinux

To complete this guide, you must have access to your server as a non-root user with sudo privileges and set up a basic firewall. For this purpose, you can visit AlmaLinux Tutorials and check for the Initial Guides.

Then, follow the steps below to start your Rsyslog configuration.

Step 1 – Check if Rsyslog installed

First, you must check for your Rsyslog installation on your server y using the command below:

sudo systemctl status rsyslog

In my case, I get the following output:

Output
Unit rsyslog.service could not be found.

So we must install and enable Rsyslog.

Step 2 – Command To Install Rsyslog in AlmaLinux

At this point, you can use the following command to install the Rsyslog utility in AlmaLinux:

sudo dnf install rsyslog -y

In your output, you will see:

Output
Installed:
  libestr-0.1.11-4.el9.x86_64       libfastjson-0.99.9-3.el9.x86_64
  rsyslog-8.2102.0-113.el9_2.x86_64 rsyslog-logrotate-8.2102.0-113.el9_2.x86_64

Complete!

Step 3 – Enable Rsyslog in AlmaLinux

When your installation is completed, you must start and enable your Rsyslog service by using the following commands:

# sudo systemctl enable rsyslog
# sudo systemctl start rsyslog

Finally, verify your Rsyslog is active and running on AlmaLinux:

sudo systemctl status rsyslog
Output
● rsyslog.service - System Logging Service
     Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: >
     Active: active (running) since Mon 2023-07-10 03:01:06 EDT; 30s ago
       Docs: man:rsyslogd(8)
             https://www.rsyslog.com/doc/
   Main PID: 75851 (rsyslogd)
      Tasks: 3 (limit: 23609)
     Memory: 3.2M
        CPU: 904ms
     CGroup: /system.slice/rsyslog.service
...

At this point, we want to show you how to configure Rsyslog to send logs to another Rsyslog host over a TCP or UDP connection. This will in turn provide a centralized location for managing the logs.

Step 4 – Configure Rsyslog for Remote Logging over TCP

At this point, you must configure your both server and client to use the TCP logging.

Configure AlmaLinux Server TCP Remote Logging

First, from your server, you must use a different TCP port and allow it through the firewall by using the command below:

# sudo firewall-cmd --zone=public --permanent --add-port=30514/tcp 
# sudo firewall-cmd --reload 

Then, allow the port through the SELinux with the command below:

sudo semanage port -a -t syslogd_port_t -p tcp 30514

Next, you must create a file in the /etc/rsyslog.d directory with your favorite text editor, we use vi editor:

sudo vi /etc/rsyslog.d/remotelog.conf

Add the following content to the file:

# Define templates before the rules that use them
# Per-Host templates for remote systems
template(name="TmplAuthpriv" type="list") {
    constant(value="/var/log/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

# Provides TCP syslog reception
module(load="imtcp")

# Adding this ruleset to process remote messages
ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none
action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="30514" ruleset="remote1")

When you are done, save and close the file.

Now check for the Rsyslog syntax error with the command below:

rsyslogd -N 1

In your output, you should see:

Output
rsyslogd: version 8.2102.0-113.el9_2, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

Then, restart your Rsyslog service to apply the changes:

sudo systemctl restart rsyslog

Configure a Client for TCP Remote Logging

At this point, from your client machine, you must install and enable the Rsyslog service as shown in the above steps, and open the TCP port on your client machine for remote logging.

When you are done, create a Rsyslog file in your client machine with the command below:

sudo vi /etc/rsyslog.d/remotelog.conf

Add the following content to the file:

*.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="example_fwd"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="orcacore.com" port="30514" protocol="tcp"
     )

When you are done, save and close the file.

The target specifies the server and port to receive the messages.

Then, restart your Rsyslog service on your client machine:

sudo systemctl restart rsyslog

Send a Test Message and Verify it from the Server

At this point, you can send a test message from your client’s machine with the following command:

sudo logger test

Next, from your AlmaLinux server, you can use the following command to verify that the message has been received:

sudo cat /var/log/remote/msg/hostname/root.log

Note: Remember to replace the hostname with the hostname of the client system. And replace the root with the user name of the user that entered the logger command on the client.

Step 5 – Configure Rsyslog for Remote Logging over UDP

Also, you can configure logging via UDP by configuring both the server and the client system. By default, port 514 is used for UDP, but you can configure a different port as we did for TCP.

The configuration steps are the same as the TCP. You just need to use the UDP port instead of TCP.

That’s it, you are done. For more information, you can visit Rsyslog Documentation.

What is the configuration file for Rsyslog in Linux?

The main configuration file for Rsyslog is /etc/rsyslog.conf. From there, you can specify global directives, modules, and rules that consist of filter and action parts. 

Conclusion

At this point, you have learned to Install and Enable Rsyslog in AlmaLinux and Configure it for Remote Logging over TCP and UDP on both the Client and Server.

Hope you enjoy it. You may be interested in these articles too:

Remove Old Kernels on AlmaLinux

10 Useful ncat Commands on AlmaLinux

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular