Configuring Remote Syslog Central Server

Posted by: on January 1st, 2012 | Categories: Linux | Tags: , , , , ,

In this article I’m going to show you how to simply setup a central syslog server that will allow you to collect system logs from multiple Linux, Windows and Network Devices simultaneously.
I will be using the “rsyslog” service running on CentOS 6.x this also applies to RHLE 5.3.x. rsyslog is newer version of syslog and it’s a bit more sophisticated with many additional features.

I. System Requirements:

1. CentOS Linux x64/x86 version 5.7 or higher, CentOS 5.7 and up-to 6.1 supports rsyslog service, versions prior 5.7 supports only “syslog”. You may also use Redhat or any other Linux distribution that you are familiar with.

When you install the OS, just install the base components and make sure you have rsyslog and smb packages selected. You will need the smb later to share the /var/log folder so you can monitor it from your windows desktop using the Kiwi Log Viewer.

2. 1 GB RAM min and a dual core processor, this is good to collect syslogs from up to 25+ servers and network appliances, however, you need to add more memory if you have more servers, I recommend that you have 2 GB RAM.

3. Having 25 to 30 servers can generate about 2.5 to 3 GB of syslog data that will be stored on your hard drive every day, so you want to make sure that you have enough storage capacity that will sustain a full month of syslogs, but again, it depends on your organization policy. In the past, I used to zip and archive the data monthly on a DVD media and lock it up in a closed because my client had to retain the data for 7 years – so, it’s up to you to decide on the storage size depending on your organization needs. I recommend at least 100 GB.

II. Configuring rsyslog:

Now, after we had the server OS installed with the requirements I mentioned above, let’s get started with fun part and configure the rsyslog service.

There is just few simple modifications that you have to do in rsyslog.conf file and it will be running forever.

Login to your server with your root credentials over SSH and edit the /etc/rsyslog.conf file

[root@myserver /]# nano /etc/rsyslog.conf

You need to enable the following modules with in that file

#### MODULES #####
 $ModLoad imuxsock.so
 $ModLoad imklog.so
 $ModLoad immark.so
 $ModLoad imudp.so

######### Provides UDP syslog reception ###################

 $UDPServerAddress xxx.xxx.xxx.xxx
 $UDPServerRun 514

Disable or remove all the log rules by adding # in the beginning of the line under the rules section in the configuration file

#### RULES ####
#kern.*                                                 /dev/console
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages
#authpriv.*                                              /var/log/secure
#mail.*                                                  -/var/log/maillog
#cron.*                                                  /var/log/cron
#*.emerg                                                 *
#uucp,news.crit                                          /var/log/spooler
#local7.*                                                /var/log/boot.log

Add the following rule to log everything to syslogs.log file that we will be creating soon.

*.*                           /var/log/syslogs.log

Now, save the rsyslog.config and lets create the /var/log/syslogs.log file with the proper file permissions to dump all the logs in it.

[root@myserver /]# cd /var/log
[root@myserver log]# touch syslogs.log
[root@myserver log]# chown root:root syslogs.log
[root@myserver log]# chmod 755 syslogs.log
[root@myserver log]# service rsyslog restart
Stopping rsyslog                                                  [  OK  ]
Starting rsyslog                                                  [  OK  ]

III. Configuring the log file rotations:

You need to create a new log file every day; otherwise the syslogs.log file will grow in size and it will make it hard for you later to search for any information; therefore, you need to save a copy of that file for each day of the month and create a new file for the next day.

Linux OS allows you to automate the log file rotations using the logrotate command and by executing it through a scheduled cron job every 24 hrs.

To allow logrotate to rotate the syslogs.log file you need to add the following script to the end of your /etc/logrotate.conf file . In this example the file will rotate daily, and it will keep the history for 30 days plus it will keep the 30 days logs history in a different folder under /var/syslog, so feel free to modify that script the best way that works for you.

/var/log/syslogs.log {
daily
rotate 30
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
olddir /var/syslog
ifempty
}

Note: Don’t forget to create a new folder called “syslog” under /var to archive the logs history

Now you want to execute that script once every 24 hrs. using a cron job that can be configured using the crontab –e command, crontab needs to know what editor to use, and in this example I will set the default editor to nano; otherwise, you can use vi.

[root@myserver /]# export EDITOR=nano
[root@myserver /]# crontab –e

Add the following line and save the file. This will force the logrotate script to run daily at 12:00 AM sharp.

@daily /usr/sbin/logrotate -f /etc/logrotate.conf    #Syslog Rotation

IV. Collecting logs from remote servers:

Now you have configured the rsyslog server and it ready to go, it’s time to configure the servers and the network devices to forward the logs to your syslog server.

1. Collecting logs from Windows x64/x86 clients:

Windows needs an agent installed on the server to forward the windows events to the syslog server, there is many commercial and open source agents available on the internet, I’m personally familiar with “Event to Syslog” it’s a free open source windows client and its available in x64/x86 http://code.google.com/p/eventlog-to-syslog/downloads/list

This is how to install it:

– Download an unzip the package on your desktop

– Copy evtsys.dll and evtsys.exe under C:\Windows\System32

– Open you command line and enter the following command

C:\> cd Windows\System32
C:\Windows\System32> evtsys.exe  -i – h rsyslog-host-ip-address

– Start and set the “Eventlog to Syslog” windows service to run automatically.

– For more details read the documentation provided with the client.

NOTE: You need to run the cmd as an administrator before running any of the commands above otherwise it will fail to install correctly.

2. Collecting logs from Linux clients:

On Linux it’s much easier than windows; you just need to add the following line at the end of your /etc/rsyslog.conf

*.*   @rsyslog-host-ip-address

Then restart the rsyslog service

[root@myserver /]# service rsyslog restart

Once you restart the Evtsys or rsyslog your Syslog server will start collecting the logs, you can verify that by tailing the syslogs.log file

[root@myserver /]# tail –f /var/log/syslogs.log

Press Ctrl + C to go back to you command line prompt

V. Monitoring your Syslogs from your Windows client:

You now have finished all the hard work and your server is now collecting tons of information from all the remote clients, and you want to be sitting at your desktop monitoring what’s going on in your network. Doing so requires some sort of sharing the /var/log directory so you can open the logs form your windows desktop. To get windows to open a share in Linux you need to run SAMBA service, SAMBA acts as the common language that both operating systems understands.

Once you can read these shares from your windows machine, you can use the Kiwi Log Viewer to monitor the logs and see them running on your screen, Kiwi Log Viewer gives you a lot of options that you can use such as filtering and highlighting events.

1. Configuring SAMBA:

In our case we are going to configure SAMBA as a simple standalone server and not a domain member and we will be just sharing 2 directories the “/var/log” where the syslogs.log resides and the “/var/syslog/” where all the logs history ends up going to.

To configure SAMABA you need to enable some options in the /etc/samba/smb.conf

[root@myserver /]# nano /etc/samba/smb.conf

Under the global settings, set the following options:

#======================= Global Settings =====================

[global]
workgroup = MYGROUP
server string = Samba Server Version %v
security = share
passdb backend = tdbsam

Go to the end of your smb.conf where you can configure the shares and add the following options:

[syslogs]
force user = root
comment = Syslogs
public = yes
guest only = yes
path = /var/log/

[archives]
force user = root
comment = Syslogs Archived files
public = yes
guest only = yes
path = /var/syslog/

What we have done here above is that we created 2 shares, one called syslogs and it pointing to /var/log and the other is called archives and it points to /var/syslog

And as usual, don’t forget to restart the smb service in order for the new configurations to take effect

[root@myserver /]# service smb restart

Please refer to the SAMBA documentation for more details http://www.samba.org/samba/docs/Samba-Guide.pdf

2. Monitoring your Syslogs from your Windows Desktop with Kiwi Log Viewer :

– Download and install Kiwi Log Viewer on your Windows client, Kiwi Log Viewer can be downloaded from here http://www.kiwisyslog.com/kiwi-log-viewer-overview/

– Map your syslog server shares to your computer as drive “L:”

– Open the L: drive from your computer and you should be able to see two folders only “Syslog” and “Archives” – the same ones we shared using SAMBA

– Launch your Kiwi Log Viewer and open L:\Syslog\syslogs.log

– Use the Tailing button in your tool bar to see the logs running on your screen as the file gets updated.

NOTES:

If you experience any difficulties opening the shares or getting the remote servers forwarding the logs to the Syslog server correctly, then it must be 2 things:

1- You need to open udp port # 514 on your firewall.

2- Disable SELinux – Set the “SELINUX=Disabled” under “/etc/selinux/config” and reboot the server.

 


Print Friendly

No comments yet.
You must be logged in to post a comment.