Configure Remote Logging on RHEL 7

We are going to configure a remote log server and forward messages to it.

The Lab

We have two RHEL 7.0 servers available in our lab:

  1. srv1.rhce.local (10.8.8.71) – will be configured as a log server,
  2. srv2.rhce.local (10.8.8.72) – will be configured to send logs to the remove log server.

SELinux set to enforcing mode.

Configure Remote Logging

We are going to configure rsyslogd on the server srv1 to receive messages coming from the remote server srv2.

On the server srv1, open /etc/rsyslog.conf for editing, and add the following lines to enable log reception on TCP port 514 (UDP is also available):

$ModLoad imtcp
$InputTCPServerRun 514

Save changes and restart the rsyslog service:

# systemctl restart rsyslog

Configure firewalld:

# firewall-cmd --add-port=514/tcp --permanent
# firewall-cmd --reload

Or if we want to receive mesages from the server srv2 only, we can create rich rule:

# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.8.8.72/32 port port=514 protocol=tcp accept'
# firewall-cmd --reload

Configure Message Forwarding to Remote Server

On the server srv2, open /etc/rsyslog.conf for editing, and add the following line:

*.* @@srv1.rhce.local:514

Note that a single @ sends logs over UDP, and a double @ sends logs using TCP.

Save changes and restar the rsyslog service:

# systemctl restart rsyslog

Verify:

[srv2]# setenforce 0 && setenforce 1

We see that messages triggered on the server srv2 are forwarded to rsyslog on the server srv1:

[srv1]# tail /var/log/messages
Jul 20 19:23:05 srv1 systemd: Stopping System Logging Service...
Jul 20 19:23:05 srv1 systemd: Starting System Logging Service...
Jul 20 19:23:05 srv1 systemd: Started System Logging Service.
Jul 20 19:23:10 srv2 dbus-daemon: dbus[573]: avc:  received setenforce notice (enforcing=0)
Jul 20 19:23:10 srv2 dbus[573]: avc:  received setenforce notice (enforcing=0)
Jul 20 19:23:10 srv2 dbus-daemon: dbus[573]: avc:  received setenforce notice (enforcing=1)
Jul 20 19:23:10 srv2 dbus[573]: avc:  received setenforce notice (enforcing=1)
Jul 20 19:23:10 srv2 dbus-daemon: dbus[573]: [system] Reloaded configuration
Jul 20 19:23:10 srv2 dbus[573]: [system] Reloaded configuration

6 thoughts on “Configure Remote Logging on RHEL 7

  1. Where you configure the firewall rules for srv1, are we supposed to remove port 514/tcp or add it? Does not remove means we actually blocking the port?

    • I don’t think I do. Your suggestion would attempt to use “port” outside of any element, which isn’t going to work I believe.

Leave a Reply

Your email address will not be published. Required fields are marked *