Configuring Rsyslog for Remote Logging
Now we’ll configure our rsyslog server to allow acceptance of syslog messages from other network devices. First we need to configure the firewall to allow inbound traffic on port 514. In this example I will add two rules to allow traffic via TCP and UDP. Syslog by default only allows for message transmission through UDP but rsyslog adds TCP for more reliable message transmission. Add these rules to “/etc/sysconfig/iptables”:
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPTNow restart the iptables firewall:
# service iptables restartWe need to add code to allow rsyslog to accept messages from remote syslog hosts. Basically we’ll specify to accept messages via TCP and UDP from the localhost and hosts on the 192.168.1.0 subnet. Add these lines near the top of the “/etc/rsyslog.conf” file above the code that we added previously related to MySQL.
$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24At one point there was a bug in rsyslog which prevented the above lines from working and syslog messages were accepted from all senders. This appears to be corrected now. Another possibility to limit accepted senders is to place limits through the port 514 rule sets that we defined earlier in the iptables firewall configuration file.
Don’t forget to restart rsyslog on the central server:
# service rsyslog restartNow we need to configure a remote client to send messages to our new centralized rsyslog server. If the client is also running rsyslog, add an entry like this to it’s “/etc/rsyslog.conf” file. In this case I will specify again to send all messages from the “authpriv” facility to my rsyslog server, who’s IP address I have also entered.
authpriv.* @192.168.10.100Restart rsyslog on the client and log in/out or switch user in the console of the Linux client machine. With luck the syslog messages from the client will appear on the LogAnalyzer web page!
No comments:
Post a Comment