In this tutorial we will learn, how to install and configure rsyslog 7.6 version on RHEL 6.5/CentOS 6.5 .The scenario is,install and setup rsyslog Centralized Logging Server in RHEL/CentOS 6.5. All the logs from client servers will be sent to Centralized logging server i.e rsyslog server.
Check Pre-installed rsyslog package
Step 1: First of all check the rsyslog package is installed in your system.Generally by-default we get rsyslog version 5.x , after minimal installation of CentOS 6.x/ RHEL 6.x
We will install the latest rsyslog package. At the time of writing this post, rsyslog stable version 7.6 was available. You can find the latest package information from rsyslog official website
Note: By default, RHEL 6.x and CentOS 6.x has rsyslog version 5.x. So here we will update the rsyslog with new version.
You can get the rsyslog version information,by using below given two commands
rpm -qa|grep rsyslog
And
rsyslogd -v
See the below given screenshot
Installing / Updating the rsyslog version 7.6 in RHEL 6.x / CentOS 6.x
For installing rsyslog version 7.6. Create a new yum client repo file and paste the below given contents. (With the same method,you can install other version of rsyslog [information link])
Creating new file /etc/yum.repos.d/rsyslog.repo (You can use your favorite editor )
vi /etc/yum.repos.d/rsyslog.repo
Paste the below given contents in file /etc/yum.repos.d/rsyslog.repo (In vi editor, for inserting content press i key,then paste content in file , for saving press key esc :wq )
[rsyslog-v7-devel] name=Adiscon Rsyslog v7-devel for CentOS-$releasever-$basearch baseurl=http://rpms.adiscon.com/v7-devel/epel-$releasever/$basearch enabled=0 gpgcheck=0 protect=1 [rsyslog-v7-stable] name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch enabled=1 gpgcheck=0 protect=1
For installing the rsyslog,in case the package is not available (rpm -qa|grep rsyslog). Run below given command
yum install rsyslog
For updating to new rsyslog version, run below given command
yum update rsyslog
Configure rsyslog in RHEL 6.x / CentOS 6.x
Step 1 : Enable the module.We will uncomment the below given line by removing #
Take the backup of original file
cp -pv /etc/rsyslog.conf /etc/rsyslog.conf.orig
Edit the file /etc/rsyslog.conf
vi /etc/rsyslog.conf
Uncomment by removing # in front of these module names
module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd)
Now, in same file , search for line *.emerg *. Modify the action (i.e *) with :omusrmsg:* . See below given reference
*.emerg :omusrmsg:*
Enable UDP port no. 514 for rsyslog .Uncomment below given lines by removing # sign
module(load="imudp") # needs to be done just once input(type="imudp" port="514")
Now, at the end of file /etc/rsyslog.conf, paste the below given code(These are rsyslog templates)
$template TmplAuth, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log" $template TmplMsg, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplMsg
Now , save and exit from file vi /etc/rsyslog.conf
Below given is the reference from our Server,after editing /etc/rsyslog.conf, it looks as given below (verify your file with below given reference)
Here, egrep -v '^#|^$' command will show only uncommented lines from the file.
[root@localhost /]# egrep -v '^#|^$' /etc/rsyslog.conf -v module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) module(load="imudp") # needs to be done just once input(type="imudp" port="514") $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $IncludeConfig /etc/rsyslog.d/*.conf *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* /var/log/maillog cron.* /var/log/cron *.emerg :omusrmsg:* uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $template TmplAuth, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log" $template TmplMsg, "/var/log/rsyslog_custom/%HOSTNAME%/%PROGRAMNAME%.log" authpriv.* ?TmplAuth *.info,mail.none,authpriv.none,cron.none ?TmplMsg [root@localhost /]#
Step 4: Now edit the file /etc/sysconfig/rsyslog .And set the SYSLOGD_OPTIONS with no parameter
SYSLOGD_OPTIONS=""
See the below given reference from our Server
[root@localhost ~]# cat /etc/sysconfig/rsyslog # Options for rsyslogd # Syslogd options are deprecated since rsyslog v3. # If you want to use them, switch to compatibility mode 2 by "-c 2" # See rsyslogd(8) for more details SYSLOGD_OPTIONS="" [root@localhost ~]#
Step 5: Start/Restart the rsyslog service
For starting rsyslog
/etc/init.d/rsyslog start
For restarting rsyslog
/etc/init.d/rsyslog restart
[for stoping rsyslog, /etc/init.d/rsyslog stop]
Create new directory in /var/log
Create new directory in /var/log called rsyslog_custom. so that we will keep all Servers log in this directory.
mkdir -p /var/log/rsyslog_custom
Set SELINUX rules for rsyslog
Some system admin, disable the selinux .
If you want to keep SELINUX enable. Use the below given command
(Read this post,in case semanage command not found)
semanage fcontext -a -t syslogd_exec_t /sbin/rsyslogd restorecon /sbin/rsyslogd /usr/sbin/semanage fcontext -a -t var_log_t "/var/log/rsyslog_custom(/.*)?" /sbin/restorecon -R -v /var/log/rsyslog_custom
Set IPTABLES for rsyslog
rsyslog service uses the UDP port number 514 .Hence we will set the iptable only for this port
Edit /etc/sysconfig/iptables
vi /etc/sysconfig/iptables
Put the given below RULE always above of any REJECT INPUT rule
-A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Now, save and exit. Restart the iptables service
/etc/init.d/iptables restart
Use iptables -nL command to check the iptables rule
Restart rsyslog and verify listening status of 514 port
/etc/init.rsyslog restart
Check listening status of port 514
netstat -uanp|grep rsyslog
See below given reference from my server
[root@localhost ~]# netstat -uanp|grep rsyslog udp 0 0 0.0.0.0:514 0.0.0.0:* 3266/rsyslogd udp 0 0 :::514 :::* 3266/rsyslogd [root@localhost ~]#
Configure rsyslog in client servers
To fetch the logs from remote client servers.We will edit the rsyslog.conf file in client machine. The method is applicable to Red Hat based and Debian based Operation system (eg. RHEL,CentOS,Debian,Ubuntu)
Syntax:
*.* @ip-address-of-rsyslog-server:514
Example:
Edit file
vi /etc/rsyslog.conf
Paste the below line (replace 192.168.56.102 with your rsyslog server ip address, here 514 is UDP port no.)
*.* @192.168.56.102:514
Save and exit from file /etc/rsyslog.conf and restart the rsyslog service
/etc/init.d/rsyslog restart
Now relogin in Client system so that we will capture the log.And same log information we will see in rsyslog server
Verify the log in rsyslog server
Change to directory /var/log/rsyslog_custom . You must see,a directory with hostname of your client machine. And inside that directory you will see some logs.
cd /var/log/rsyslog_custom
Reference from my system (Output will be different in your case)
[root@localhost ~]# ls -l /var/log/rsyslog_custom/ total 8 drwx------. 2 root root 4096 Mar 1 07:52 localhost drwx------. 2 root root 4096 Mar 1 07:47 tuxworld [root@localhost ~]# [root@localhost ~]# ls -l /var/log/rsyslog_custom/tuxworld/ total 32 -rw-------. 1 root root 193 Mar 1 07:46 CRON.log -rw-------. 1 root root 619 Mar 1 07:47 dbus.log -rw-------. 1 root root 255 Mar 1 07:47 dhclient.log -rw-------. 1 root root 0 Mar 1 07:46 kernel.log -rw-------. 1 root root 659 Mar 1 07:47 NetworkManager.log -rw-------. 1 root root 120 Mar 1 07:46 rsyslogd-2039.log -rw-------. 1 root root 149 Mar 1 07:46 rsyslogd.log -rw-------. 1 root root 296 Mar 1 07:44 sudo.log -rw-------. 1 root root 316 Mar 1 07:44 su.log [root@localhost ~]#
IMPORTANT Note: After setting all things,it is good practice to check /var/log/messages .In case of any rsyslog related error/warning is found
Note: This rsyslog server setup is recommended to use in secure internal network. The rsyslog server should not be publicly exposed.
In case you want to secure the rsyslog server.Use the iptable which only accept logs from your desired particular ip address/ network .
For EXAMPLE Only allow particular ip address to connect with rsyslog server for logging. The client machine has ip address 192.168.56.1 (replace 192.168.56.1 with your client machine ip address [ifconfig])
vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m udp -p udp -s 192.168.56.1 --dport 514 -j ACCEPT
Restart the iptable after this /etc/init.d/iptables restart
For EXAMPLE. Only allow particular NETWORK to connect with rsyslog server for logging. The Network subnet is 10.0.0.0/255.255.255.0 (replace 10.0.0.0/255.255.255.0 from your network information )
vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m udp -p udp -s 10.0.0.0/24 --dport 514 -j ACCEPT
Restart the iptable /etc/init.d/iptables restart
For further reading : Viewing and Managing Log Files
[root@vsp-syslog02 ~]# cat /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 7
# create new (empty) log files after rotating old ones
these are the files under logrotate.d
[root@vsp-syslog02 logrotate.d]# cat syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
missingok
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
[root@vsp-syslog02 logrotate.d]# cat rsyslog
/var/log/syslog/*/*.log {
create 0644 root
weekly
minage 7
missingok
rotate 4
compress
notifempty
copytruncate
sharedscripts
dateext
}
[root@vsp-syslog02 logrotate.d]# cat yum
/var/log/yum.log {
missingok
notifempty
maxsize 30k
yearly
create 0600 root root
}
[root@vsp-syslog02 logrotate.d]# cat cups
/var/log/cups/*_log {
missingok
notifempty
sharedscripts
}
[root@vsp-syslog02 logrotate.d]#
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
[root@vsp-syslog02 ~]#
Hi Nitin,
Here you have not mentioned the file name. Looks like some typo
[root@vsp-syslog02 logrotate.d]# create # use date as a suffix of the rotated file dateext # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp and btmp — we’ll rotate them here /var/log/wtmp { monthly create 0664 root utmp minsize 1M rotate 1 } /var/log/btmp { missingok monthly create 0600 root utmp rotate 1 } # system-specific logs may be also be configured here. [root@vsp-syslog02 ~]#Hi Sharad,
here are the files below is logrotate.conf
[root@vsp-syslog02 vsd-pg01]# cat /etc/logrotate.conf
# see “man logrotate” for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 7
# create new (empty) log files after rotating old ones
create
# use date as a suffix of the rotated file
dateext
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp and btmp — we’ll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
minsize 1M
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0600 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
and below are files under /etc/logrotate.d my config file which i am having issue is rsyslog:
[root@vsp-syslog02 logrotate.d]# cat httpd
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
delaycompress
postrotate
/bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
endscript
}
[root@vsp-syslog02 logrotate.d]# cat rsyslog
/var/log/syslog/*/*.log {
create 0644 root
weekly
minage 7
missingok
rotate 4
compress
notifempty
copytruncate
sharedscripts
dateext
}
[root@vsp-syslog02 logrotate.d]# cat yum
/var/log/yum.log {
missingok
notifempty
maxsize 30k
yearly
create 0600 root root
}
[root@vsp-syslog02 logrotate.d]#
-> below is my logs location /var/log/syslog/hostname/logs
drwx—— 2 root root 4096 Jun 30 00:18 CZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYD
[root@vsp-syslog02 syslog]# pwd
/var/log/syslog
[root@vsp-syslog02 syslog]# ls -ltr |more
total 488
drwx—— 2 root root 154 Jun 28 03:37 VMware
drwx—— 2 root root 228 Jun 28 03:37 vsd-elastic01
drwx—— 2 root root 80 Jun 28 03:37 vsd-erics01.eacc.ds.quintiles.com
drwx—— 2 root root 80 Jun 28 03:37 vsd-ighv10
drwx—— 2 root root 154 Jun 28 03:37 vsd-logstash01
drwx—— 2 root root 4096 Jun 29 00:04 vsd-ighv22
drwx—— 2 root root 4096 Jun 29 00:04 vsd-ighv20
drwx—— 2 root root 4096 Jun 29 00:04 vsd-ighv21
drwx—— 2 root root 4096 Jun 29 11:00 vsd-briank01.eacc.ds.quintiles.com
drwx—— 2 root root 4096 Jun 30 00:00 vsd-erics01
drwx—— 2 root root 4096 Jun 30 00:00 vsp-control02
drwx—— 2 root root 4096 Jun 30 00:00 vsd-docker01
drwx—— 2 root root 4096 Jun 30 00:00 vsd-twoods01
drwx—— 2 root root 4096 Jun 30 00:00 vsd-elk01
drwx—— 2 root root 4096 Jun 30 00:00 vsp-syslog02
drwx—— 2 root root 4096 Jun 30 00:00 vcenter
drwx—— 2 root root 4096 Jun 30 00:00 vsd-nagiosmaster01
drwx—— 2 root root 4096 Jun 30 00:00 vsd-nagiosslave01
drwx—— 2 root root 4096 Jun 30 00:00 vsd-kanboard03
drwx—— 2 root root 4096 Jun 30 00:00 vsd-anthony02
drwx—— 2 root root 4096 Jun 30 00:00 vsd-cluster01
drwx—— 2 root root 4096 Jun 30 00:00 dirc
drwx—— 2 root root 4096 Jun 30 00:00 vsd-anthony01
drwx—— 2 root root 4096 Jun 30 00:00 vsp-monitor01
drwx—— 2 root root 4096 Jun 30 00:00 vsp-wiki01
drwx—— 2 root root 4096 Jun 30 00:00 pdp-bigstore01
drwx—— 2 root root 4096 Jun 30 00:00 vsd-zoo01
drwx—— 2 root root 4096 Jun 30 00:00 usadc-seaxp32
drwx—— 2 root root 4096 Jun 30 00:01 vsd-calamari01
drwx—— 2 root root 4096 Jun 30 00:02 usadc-seaxp32.quintiles.net
drwx—— 2 root root 4096 Jun 30 00:03 vsd-iondb02
drwx—— 2 root root 4096 Jun 30 00:04 vsd-adms02
drwx—— 2 root root 4096 Jun 30 00:04 vsd-perftest01
one such dir to show you logs is below:
[root@vsp-syslog02 syslog]# cd vsd-perftest01/
[root@vsp-syslog02 vsd-perftest01]# ls -ltr
total 216
-rw——- 1 root root 4012 Jun 23 23:59 2020-06-23-messages.log-20200628.gz
-rw——- 1 root root 6049 Jun 24 23:59 2020-06-24-messages.log-20200628.gz
-rw——- 1 root root 5981 Jun 25 23:59 2020-06-25-messages.log-20200628.gz
-rw——- 1 root root 5809 Jun 26 23:59 2020-06-26-messages.log-20200628.gz
-rw——- 1 root root 5919 Jun 27 23:59 2020-06-27-messages.log-20200628.gz
-rw——- 1 root root 0 Jun 28 03:37 2020-06-23-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-24-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-25-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-26-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-27-messages.log
-rw——- 1 root root 80966 Jun 28 23:59 2020-06-28-messages.log
-rw——- 1 root root 79310 Jun 29 23:59 2020-06-29-messages.log
-rw——- 1 root root 19212 Jun 30 05:34 2020-06-30-messages.log
[root@vsp-syslog02 vsd-perftest01]#
You can see that logs are generating, but not rotating as per configuration. Please help me on this
Hi Sharad, I did reply on this thread on 30th. please confirm that you got my message.
Hi Nitin,
I am bit doubtful. Can you check these files on coming Sunday.Monday. These file are created on 28-Jun and should be rotated 7 days after its created timestamp.
-rw——- 1 root root 0 Jun 28 03:37 2020-06-23-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-24-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-25-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-26-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-27-messages.log
-rw——- 1 root root 80966 Jun 28 23:59 2020-06-28-messages.log
Regards
Sharad
Hello sharad,
This is what i get now. Files are compressing , Not getting desired result.
Please suggest
[root@vsp-syslog02 vsd-adms01]# ls -lrt
total 244
-rw——- 1 root root 2491 Jun 23 23:59 2020-06-23-messages.log-20200628.gz
-rw——- 1 root root 3694 Jun 24 23:59 2020-06-24-messages.log-20200628.gz
-rw——- 1 root root 3480 Jun 25 23:59 2020-06-25-messages.log-20200628.gz
-rw——- 1 root root 3527 Jun 26 23:59 2020-06-26-messages.log-20200628.gz
-rw——- 1 root root 3481 Jun 27 23:59 2020-06-27-messages.log-20200628.gz
-rw——- 1 root root 0 Jun 28 03:37 2020-06-23-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-24-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-25-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-26-messages.log
-rw——- 1 root root 0 Jun 28 03:37 2020-06-27-messages.log
-rw——- 1 root root 3951 Jun 28 23:59 2020-06-28-messages.log-20200705.gz
-rw——- 1 root root 3530 Jun 29 23:59 2020-06-29-messages.log-20200705.gz
-rw——- 1 root root 3476 Jun 30 23:59 2020-06-30-messages.log-20200705.gz
-rw——- 1 root root 3553 Jul 1 23:59 2020-07-01-messages.log-20200705.gz
-rw——- 1 root root 3926 Jul 2 23:59 2020-07-02-messages.log-20200705.gz
-rw——- 1 root root 3920 Jul 3 23:59 2020-07-03-messages.log-20200705.gz
-rw——- 1 root root 3484 Jul 4 23:59 2020-07-04-messages.log-20200705.gz
-rw——- 1 root root 0 Jul 5 03:34 2020-06-28-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-06-29-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-06-30-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-07-01-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-07-02-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-07-03-messages.log
-rw——- 1 root root 0 Jul 5 03:34 2020-07-04-messages.log
-rw——- 1 root root 60366 Jul 5 23:59 2020-07-05-messages.log
-rw——- 1 root root 58524 Jul 6 23:59 2020-07-06-messages.log
-rw——- 1 root root 62956 Jul 7 23:59 2020-07-07-messages.log
-rw——- 1 root root 9561 Jul 8 03:54 2020-07-08-messages.log
[root@vsp-syslog02 vsd-adms01]#
Hello I am having trouble by rotating logs in general syslog server OS -7.1 centos
/var/log/syslog/*/*.log {
create 0644 root
weekly
missingok
rotate 4
compress
notifempty
copytruncate
sharedscripts
dateext
}
I want to keep one week log with in a file with four roatation, means 28 days log at every time. But this is not happening with this parameter. Any help would be greatly appreciated. I am willing to pay if any one open for paid solution.
Hi Nitin,
I tried to understand your question. If I am wrong here make me correct.
a. You want to keep only 4 log files of each category type means for example. abc.log, example.log .
b. Each log file has 1 week logging data.
c. The point (a) and (b) states that it is 4×7=28 days logging data
In given below, I have added
minage 7(means Do not rotate logs which are less than 7 days old)/var/log/syslog/*/*.log { create 0644 root weekly minage 7 missingok rotate 4 compress notifempty copytruncate sharedscripts dateext }Let me know if it works for you. Also check
man logrotateto know available options.Regards
Sharad
Hi Sharad, let me check your suggestion and will get back . Please confirm what minage would do.your comments about point a and b are correct. I want to keep 4 logs file with one file of 7 days long.
Hi Nitin,
I have already answered in comment yet for you – minage 7(means Do not rotate logs which are less than 7 days old)
Regards
Sharad
Hi Sharad,
Unfortunately this config. Also did not work. Now ideally there should be a single file containing logs of a week but it has created logs file of individual day i.e 23rd and 24th. Please suggest.
Hi Nitin,
Can you provide the logrotate.conf and logrotate.d/* all files ?
In my setup the config which I have suggested it works. Note that, minage will only rotate the file which is 7 days old. Check the date time stamp of files also.
Regards
Sharad
Will this server work with Windows based clients also?
Hi Neelay,
Answer is yes! You can find the rsyslog windows agent from its website.
https://www.rsyslog.com/windows-agent/windows-agent-download/
Regards
Sharad
Hii sharad i followed your video and its work. My rsyslog server is revived logs from other machines but
I want to receive apache and my sql logs to rsyslog server so plz help me what configuration I apply on the rsyslog server and client plz help me
Hi , I followed your video, I am able to get messages on server but they are not getting logged to a file. I used tcpdump to check the log messages on server. I dont even see any client folder created at /var/log/rsyslog_custom/.
what do you think is missing.
Hi Pradeep,
Check the port connection between rsyslog server and client.I doubt the client is not able to send packets to rsyslog server.
Regards
Sharad
Hi Sharad ,
I have stuck while configuring rsyslog centralised logging server.
Please help me and share suggestion
How to configure rsyslog to send customised logs of client server (like apache logs, php application logs) to centralised logging server (rsyslog sever).
Hi Vinod,
Try this
Apache: http://wiki.rsyslog.com/index.php/Working_Apache_and_Rsyslog_configuration
MySQL : https://www.rsyslog.com/doc/v8-stable/tutorials/database.html
PHP: ‘error_log = syslog’ in php.ini . It may feed in /var/log/message.
Regards
Sharad
i have syslog working . I am trying to create the logs in a different folder other than /var/log/…
$template FILENAME,”/home/log/%fromhost-ip%/messages-%$YEAR%-%$MONTH%-%$DAY%.log”
*.* ?FILENAME
*.info;mail.none;authpriv.none;cron.none ?FILENAME
If i change it from /home to /var it all works.
Is there way to get syslog on to a different directory
hi NC,
By default /home is home directory for users, recommend you to do not place logs in /home to avoid confusion with other sys admins.
Yet, the trick is you have to change ownership and permission of /home/log . Match the ownership and permission of /var/log to /home/log .
Regards
Sharad
hi sharad
i want to build a syslog server for storing logs sent by cisco router/switches , which i am able to however my requirement is to create separate files for storing logs from each of the devices, please help
i am using rhel 6.3 as syslog server.
regards
Vivek Saran
Hi Vivek,
At present, I am do not have setup with networking devices. I just brought this answer from my memories. Hope you will understand the logic here , just do the try and let us know the result.
In below replace router and switch ip address. I have also used the if statement with OR condition so do the change according to your requirement.
For ASA firewall, rsyslog official page already has this description. http://www.rsyslog.com/tag/cisco-asa/ . I hope you will also get some idea from this.
Regards
Sharad
Hello
i use this tutorial but it dident work for me i have 2 machin centos 6.8 in virtualbox can u help me with this
Hi,
Let me know where you stuck exactly. Check SELINUX status and share your OS version and rsyslog which you are installing.
Regards
Sharad
Hello
thank you for your replay it’s done and working fine it’s my wrong config
You are welcome KaveH!
Regards
Sharad