How to Set Up a Centralized Syslog Server on RHEL 9 / CentOS 9: A Step-by-Step Guide
In any modern IT environment, managing system logs is a critical task. Logs provide invaluable insights for troubleshooting issues, monitoring system health, and conducting security audits. However, as your infrastructure grows, checking logs on individual servers becomes inefficient and unscalable. The solution is centralized logging, and one of the most reliable ways to achieve this is by setting up a Syslog server.
This guide will walk you through the entire process of configuring a dedicated Syslog server on Red Hat Enterprise Linux (RHEL) 9 or CentOS 9 using rsyslog, the default logging daemon. By centralizing your logs, you gain a unified view of your entire network, making it easier to correlate events and detect anomalies.
Prerequisites
Before we begin, ensure you have the following:
- Two systems running RHEL 9 or CentOS 9 (one for the server, one for the client).
- Root or
sudoprivileges on both machines. - Basic knowledge of the Linux command line and a text editor like
viornano.
Step 1: Install and Enable Rsyslog on the Server
Rsyslog is typically installed by default on RHEL 9 and CentOS 9 systems. You can verify its status and ensure it’s running with the following commands:
sudo systemctl status rsyslog
If it’s not installed for some reason, you can easily add it using the dnf package manager:
sudo dnf install rsyslog -y
Once installed, start and enable the service to ensure it automatically runs on boot:
sudo systemctl start rsyslog
sudo systemctl enable rsyslog
Step 2: Configure the Rsyslog Server to Receive Remote Logs
The core of the setup involves modifying the main rsyslog configuration file to listen for incoming log messages from other devices on the network.
First, open the configuration file in your preferred text editor:
sudo nano /etc/rsyslog.conf
1. Enable Network Listening Protocols
Inside the file, you need to find and uncomment the lines that enable the imudp (for UDP) and imtcp (for TCP) modules. UDP is faster but less reliable, while TCP is connection-oriented and guarantees message delivery. It’s highly recommended to enable TCP for important logs.
Find and uncomment the following lines to enable listening on port 514, the standard syslog port:
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
2. Create a Template for Organizing Logs
Without a template, all remote logs will be mixed into a single file, making them difficult to parse. A much better approach is to create a template that automatically sorts incoming logs into separate files based on the hostname of the client machine.
Add the following template directive near the top of the GLOBAL DIRECTIVES section in your /etc/rsyslog.conf file:
$template RemoteLogs,"/var/log/remote/%HOSTNAME%.log"
This template, which we’ve named RemoteLogs, tells rsyslog to create log files in the /var/log/remote/ directory. Each file will be named after the hostname of the system that sent the log message (e.g., web-server-01.log).
Next, add a rule that applies this template to all incoming messages:
*.* ?RemoteLogs
This line instructs rsyslog to take messages from all facilities and priorities (*.*) and process them using the RemoteLogs template. The & ~ on the next line is often used to stop processing these messages further, preventing them from being written to local log files as well. For simplicity, we can omit it, but in a production environment, you might add it: *.* ?RemoteLogs & ~.
Save the file and exit the editor. Before restarting the service, you should create the directory for the remote logs:
sudo mkdir /var/log/remote
Step 3: Adjust Firewall Rules
By default, the system firewall will block incoming connections on port 514. You must add rules to allow this traffic through.
Use the firewall-cmd utility to permanently open port 514 for both TCP and UDP:
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
After adding the rules, reload the firewall to apply the changes:
sudo firewall-cmd --reload
Step 4: Configure SELinux Policies
SELinux provides an essential layer of security on RHEL-based systems, but it can also prevent rsyslog from functioning correctly if not configured. You may need to tell SELinux that it’s permissible for the syslog daemon to use port 514.
First, install the necessary tools if they are not present:
sudo dnf install policycoreutils-python-utils -y
Then, add the syslog port context to SELinux:
sudo semanage port -a -t syslogd_port_t -p tcp 514
sudo semanage port -a -t syslogd_port_t -p udp 514
Now that the configuration, firewall, and SELinux are set, restart the rsyslog service to apply all changes:
sudo systemctl restart rsyslog
Step 5: Configure a Client to Forward Logs
With the server ready, it’s time to configure a client machine to send its logs to it. The process is straightforward.
On the client machine, edit the /etc/rsyslog.conf file:
sudo nano /etc/rsyslog.conf
Go to the very end of the file and add the following line. This rule forwards all log messages (*.*) to your new syslog server.
For UDP forwarding (less reliable):
*.* @<your-syslog-server-ip>:514For TCP forwarding (recommended):
*.* @@<your-syslog-server-ip>:514
Note the difference: a single @ specifies UDP, while a double @@ specifies TCP. Replace <your-syslog-server-ip> with the actual IP address of your syslog server.
Save the file and restart the rsyslog service on the client:
sudo systemctl restart rsyslog
Step 6: Verify the Centralized Logging Setup
The final step is to confirm that everything is working as expected.
On the client machine, use the logger utility to generate a test log message:
logger "This is a test message from the client machine."
Now, on your syslog server, check the /var/log/remote/ directory. You should see a new log file named after your client’s hostname. View its contents to find your test message:
# First, list the files to find the client's log
ls -l /var/log/remote/
# Then, view the contents of the new file
tail -f /var/log/remote/client-hostname.log
You should see the test message appear in the output. If you do, congratulations! You have successfully set up a centralized syslog server.
Security and Best Practices
- Restrict Access: For enhanced security, configure your firewall rules to only accept syslog traffic from trusted IP addresses or subnets.
- Use TCP and TLS: For sensitive environments, consider configuring
rsyslogwith TLS encryption to protect log data in transit. - Log Rotation: Ensure you have a
logrotatepolicy in place for the/var/log/remote/directory to prevent log files from consuming all your disk space. - Monitor the Server: Your syslog server is now a critical piece of infrastructure. Monitor its disk space, CPU, and memory usage to ensure it remains healthy.
Source: https://infotechys.com/set-up-syslog-server-on-rhel-9-and-centos-9/
