Lab Scenerio :=
Syslog Server = 192.168.0.80 <============ Hostname mail
Syslog client = 192.168.0.65 <============ Hostname storage
Server Side Configuration =
#|yum install rsyslog
bb | 4.0 kB 00:00
bb/primary_db | 3.1 MB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package rsyslog.x86_64 0:5.8.10-2.el6 will be installed
--> Processing Dependency: logrotate >= 3.5.2 for package: rsyslog-5.8.10-2.el6.x86_64
--> Running transaction check
---> Package logrotate.x86_64 0:3.7.8-15.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
rsyslog x86_64 5.8.10-2.el6 bb 647 k
Installing for dependencies:
logrotate x86_64 3.7.8-15.el6 bb 55 k
Transaction Summary
================================================================================
Install 2 Package(s)
Total download size: 702 k
Installed size: 2.2 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): logrotate-3.7.8-15.el6.x86_64.rpm | 55 kB 00:00
(2/2): rsyslog-5.8.10-2.el6.x86_64.rpm | 647 kB 00:00
--------------------------------------------------------------------------------
Total 3.9 MB/s | 702 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : logrotate-3.7.8-15.el6.x86_64 1/2
warning: /var/lib/logrotate.status created as /var/lib/logrotate.status.rpmnew
Installing : rsyslog-5.8.10-2.el6.x86_64 2/2
warning: /etc/rsyslog.conf created as /etc/rsyslog.conf.rpmnew
Verifying : rsyslog-5.8.10-2.el6.x86_64 1/2
Verifying : logrotate-3.7.8-15.el6.x86_64 2/2
Installed:
rsyslog.x86_64 0:5.8.10-2.el6
Dependency Installed:
logrotate.x86_64 0:3.7.8-15.el6
Complete!
2 .Step= Edit the rsyslog.conf file below like this
[root@mail log]# cat /etc/rsyslog.conf
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so <====== Uncomment this line
$InputTCPServerRun 514 <====== Uncomment this line
:FROMHOST-IP, isequal,"192.168.0.65" /var/log/servers.log <============== Edit Here add Client Ip Add resss
& ~
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
3rd Step
# Restart the rsyslog service
================================================================================
Client Side
1. step Install rsyslog RPM
2. Edit the rsyslog.conf file Below like this
[root@storage ~]# cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/lib/rsyslog # where to place spool files ]
$ActionQueueFileName fwdRule1 # unique name prefix for spool files ]
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) ] <====================== Uncomment this line
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown ]
$ActionQueueType LinkedList # run asynchronously ]
$ActionResumeRetryCount -1 # infinite retries if host is down ]
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@192.168.0.80:514 <=================================== Add the Syslog server Ip add
# ### end of the forwarding rule ###
# Restart the rsyslog Service
Test configuration
Client side run below command for Testing
[root@storage ~]# logger "testing to remote rsyslog server"
[root@storage ~]# logger "testing to remote rsyslog server"
[root@storage ~]# logger "testing to remote rsyslog server"
[root@storage ~]# logger "testing to remote rsyslog server"
Check log on server side
2013-05-11T12:46:27+05:08 storage root: testing to remote rsyslog server
2013-05-11T12:46:27+05:08 storage root: testing to remote rsyslog server
2013-05-11T12:46:27+05:08 storage root: testing to remote rsyslog server
2013-05-11T12:46:28+05:08 storage root: testing to remote rsyslog server