25.6. Configuring rsyslog on a Logging Server

download PDF
The rsyslog service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See Example 25.12, “Reliable Forwarding of Log Messages to a Server” for information on client rsyslog configuration.
The rsyslog service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in Red Hat Enterprise Linux 6. If required, to ensure that it is, enter the following command as root:
~]# yum install rsyslog
The default protocol and port for syslog traffic is UDP and 514, as listed in the /etc/services file. However, rsyslog defaults to using TCP on port 514. In the configuration file, /etc/rsyslog.conf, TCP is indicated by @@.
Other ports are sometimes used in examples, however SELinux is only configured to allow sending and receiving on the following ports by default:
~]# semanage port -l | grep syslog
syslogd_port_t                 tcp      6514, 601
syslogd_port_t                 udp      514, 6514, 601
The semanage utility is provided as part of the policycoreutils-python package. If required, install the package as follows:
~]# yum install policycoreutils-python
In addition, by default the SELinux type for rsyslog, rsyslogd_t, is configured to permit sending and receiving to the remote shell (rsh) port with SELinux type rsh_port_t, which defaults to TCP on port 514. Therefore it is not necessary to use semanage to explicitly permit TCP on port 514. For example, to check what SELinux is set to permit on port 514, enter a command as follows:
~]# semanage port -l | grep 514
output omitted
rsh_port_t                     tcp      514
syslogd_port_t                 tcp      6514, 601
syslogd_port_t                 udp      514, 6514, 601
For more information on SELinux, see Red Hat Enterprise Linux 6 SELinux User Guide.
Perform the steps in the following procedures on the system that you intend to use as your logging server. All steps in these procedure must be made as the root user.

Procedure 25.5. Configure SELinux to Permit rsyslog Traffic on a Port

If required to use a new port for rsyslog traffic, follow this procedure on the logging server and the clients. For example, to send and receive TCP traffic on port 10514, proceed as follows:
  1. ~]# semanage port -a -t syslogd_port_t -p tcp 10514
  2. Review the SELinux ports by entering the following command:
    ~]# semanage port -l | grep syslog
  3. If the new port was already configured in /etc/rsyslog.conf, restart rsyslog now for the change to take effect:
    ~]# service rsyslog restart
  4. Verify which ports rsyslog is now listening to:
    ~]# netstat -tnlp | grep rsyslog
    tcp        0      0 *   LISTEN      2528/rsyslogd
    tcp        0      0 :::10514                :::*        LISTEN      2528/rsyslogd
See the semanage-port(8) manual page for more information on the semanage port command.

Procedure 25.6. Configuring The iptables Firewall

Configure the iptables firewall to allow incoming rsyslog traffic. For example, to allow TCP traffic on port 10514, proceed as follows:
  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on port 10514 to the file. The new rule must appear before any INPUT rules that REJECT traffic.
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 10514 -j ACCEPT
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service for the firewall changes to take effect.
    ~]# service iptables restart

Procedure 25.7. Configuring rsyslog to Receive and Sort Remote Log Messages

  1. Open the /etc/rsyslog.conf file in a text editor and proceed as follows:
    1. Add these lines below the modules section but above the Provides UDP syslog reception section:
      # Define templates before the rules that use them
      ### Per-Host Templates for Remote Systems ###
      $template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
      $template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
    2. Replace the default Provides TCP syslog reception section with the following:
      # Provides TCP syslog reception
      $ModLoad imtcp
      # Adding this ruleset to process remote messages
      $RuleSet remote1
      authpriv.*   ?TmplAuthpriv
      *.info;mail.none;authpriv.none;cron.none   ?TmplMsg
      $RuleSet RSYSLOG_DefaultRuleset   #End the rule set by switching back to the default rule set
      $InputTCPServerBindRuleset remote1  #Define a new input and bind it to the "remote1" rule set
      $InputTCPServerRun 10514
    Save the changes to the /etc/rsyslog.conf file.
  2. The rsyslog service must be running on both the logging server and the systems attempting to log to it.
    1. Use the service command to start the rsyslog service.
      ~]# service rsyslog start
    2. To ensure the rsyslog service starts automatically in future, enter the following command as root:
      ~]# chkconfig rsyslog on
Your log server is now configured to receive and store log files from the other systems in your environment.

25.6.1. Using The New Template Syntax on a Logging Server

Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
template(name="TmplAuthpriv" type="string"

template(name="TmplMsg" type="string"
These templates can also be written in the list format as follows:
template(name="TmplAuthpriv" type="list") {
    property(name="programname" SecurePath="replace")

template(name="TmplMsg" type="list") {
    property(name="programname" SecurePath="replace")
This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.
To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:

     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")

input(type="imtcp" port="10514" ruleset="remote1")
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.