This tutorial intends to teach you to Install and Configure Rsyslog System Logging in the AlmaLinux server. You can use both AlmaLinux 8 and AlmaLinux 9. Now let’s get familiar with Rsyslog and what it means.
What Is Rsyslog?
Rsyslog (Rocket-fast System for log processing) is a tool in Linux that is used for message logging. It has high performance and ships with excellent security.
Now follow the steps below to enable this amazing tool and work with it on AlmaLinux.
How To Configure Rsyslog in AlmaLinux?
To complete this guide, you must have access to your server as a non-root user with sudo privileges and set up a basic firewall. For this purpose, you can visit AlmaLinux Tutorials and check for the Initial Guides.
Then, follow the steps below to start your Rsyslog configuration.
Step 1 – Check if you have Rsyslog installed
First, you must check for your Rsyslog installation on your server y using the command below:
sudo systemctl status rsyslogIn my case, I get the following output:
Output
Unit rsyslog.service could not be found.
So we must install and enable Rsyslog.
Step 2 – How To Install Rsyslog in AlmaLinux?
At this point, you can use the following command to install the Rsyslog utility in AlmaLinux:
sudo dnf install rsyslog -y
In your output, you will see:
Output
Installed:
libestr-0.1.11-4.el9.x86_64 libfastjson-0.99.9-3.el9.x86_64
rsyslog-8.2102.0-113.el9_2.x86_64 rsyslog-logrotate-8.2102.0-113.el9_2.x86_64
Complete!
Step 3 – How To Enable Rsyslog in AlmaLinux?
When your installation is completed, you must start and enable your Rsyslog service by using the following commands:
# sudo systemctl enable rsyslog
# sudo systemctl start rsyslogFinally, verify your Rsyslog is active and running on AlmaLinux:
sudo systemctl status rsyslogOutput
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; preset: >
Active: active (running) since Mon 2023-07-10 03:01:06 EDT; 30s ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 75851 (rsyslogd)
Tasks: 3 (limit: 23609)
Memory: 3.2M
CPU: 904ms
CGroup: /system.slice/rsyslog.service
...At this point, we want to show you to configure Rsyslog to send logs to another Rsyslog host over a TCP or UDP connection. This will in turn provide a centralized location for managing the logs.
Step 4 – Configure Rsyslog for Remote Logging over TCP
At this point, you must configure your both server and client to use the TCP logging.
Configure AlmaLinux Server TCP Remote Logging
First, from your server, you must use a different TCP port and allow it through the firewall by using the command below:
# sudo firewall-cmd --zone=public --permanent --add-port=30514/tcp
# sudo firewall-cmd --reload Then, allow the port through the SELinux with the command below:
sudo semanage port -a -t syslogd_port_t -p tcp 30514Next, you must create a file in the /etc/rsyslog.d directory with your favorite text editor, here we use vi:
sudo vi /etc/rsyslog.d/remotelog.confAdd the following content to the file:
# Define templates before the rules that use them
# Per-Host templates for remote systems
template(name="TmplAuthpriv" type="list") {
constant(value="/var/log/remote/auth/")
property(name="hostname")
constant(value="/")
property(name="programname" SecurePath="replace")
constant(value=".log")
}
template(name="TmplMsg" type="list") {
constant(value="/var/log/remote/msg/")
property(name="hostname")
constant(value="/")
property(name="programname" SecurePath="replace")
constant(value=".log")
}
# Provides TCP syslog reception
module(load="imtcp")
# Adding this ruleset to process remote messages
ruleset(name="remote1"){
authpriv.* action(type="omfile" DynaFile="TmplAuthpriv")
*.info;mail.none;authpriv.none;cron.none
action(type="omfile" DynaFile="TmplMsg")
}
input(type="imtcp" port="30514" ruleset="remote1")When you are done, save and close the file.
Now check for the Rsyslog syntax error with the command below:
rsyslogd -N 1In your output, you should see:
Output
rsyslogd: version 8.2102.0-113.el9_2, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
Then, restart your Rsyslog service to apply the changes:
sudo systemctl restart rsyslogConfigure a Client for TCP Remote Logging
At this point, from your client machine, you must install and enable the Rsyslog service as shown in the above steps, and open the TCP port on your client machine for remote logging.
When you are done, create a Rsyslog file in your client machine with the command below:
sudo vi /etc/rsyslog.d/remotelog.confAdd the following content to the file:
*.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="example_fwd"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="orcacore.com" port="30514" protocol="tcp"
)When you are done, save and close the file.
The target specifies the server and port to receive the messages.
Then, restart your Rsyslog service on your client machine:
sudo systemctl restart rsyslogSend a Test Message and Verify it from the Server
At this point, you can send a test message from your client’s machine with the following command:
sudo logger testNext, from your AlmaLinux server, you can use the following command to verify that the message has been received:
sudo cat /var/log/remote/msg/hostname/root.logNote: Remember to replace the hostname with the hostname of the client system. And replace the root with the user name of the user that entered the logger command on the client.
Step 5 – Configure Rsyslog for Remote Logging over UDP
Also, you can configure logging via UDP by configuring both the server and the client system. By default, port 514 is used for UDP, but you can configure a different port as we did for TCP.
The configuration steps are the same as the TCP. You just need to use the UDP port instead of TCP.
That’s it, you are done. For more information, you can visit Rsyslog Documentation.
Conclusion
At this point, you have learned to Install and Enable Rsyslog in AlmaLinux and Configure it for Remote Logging over TCP and UDP on both the Client and Server.
Hope you enjoy it. You may be interested in these articles too: