|
Rsyslog : Output logs to Remote Host
2015/03/31 |
|
Configure Rsyslog to output logs to remote host.
This example based on environment below. (1) dlp.srv.world [10.0.0.30] Log Managed Server (2) node01.srv.world [10.0.0.51] Client Server (Output logs to Managed Server) |
|
| [1] | Configure Log Managed Server to receive logs from client servers. |
|
[root@dlp ~]#
vi /etc/rsyslog.conf # line 17, 18: uncomment $ModLoad imtcp $InputTCPServerRun 514 # specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
/etc/rc.d/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] |
| [2] | Configure Client Servers. |
|
[root@node01 ~]#
vi /etc/rsyslog.conf # for exmaple, output logs for "authpriv.*" to remote host authpriv.* @@dlp.srv.world:514
# line 73: uncomment all $WorkDirectory /var/lib/rsyslog # where to place spool files $ActionQueueFileName fwdRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down[root@node01 ~]# /etc/rc.d/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] |
| [3] | After configuration of above, logs for kinds of authentication are recorded on Log Managed Server like follows. |
|
[root@dlp ~]# tail -10 /var/log/secure Apr 1 02:50:24 dlp login: DIALUP AT ttyS0 BY root Apr 1 02:50:24 dlp login: ROOT LOGIN ON ttyS0 Apr 1 21:56:35 node01 login: pam_unix(login:session): session closed for user root Apr 1 21:56:41 node01 login: pam_unix(login:session): session opened for user root by (uid=0) Apr 1 21:56:41 node01 login: DIALUP AT ttyS0 BY root Apr 1 21:56:41 node01 login: ROOT LOGIN ON ttyS0 Apr 1 21:57:46 node01 sshd[1022]: Accepted password for cent from 10.0.0.30 port 51970 ssh2 Apr 1 21:57:46 node01 sshd[1022]: pam_unix(sshd:session): session opened for user cent by (uid=0) Apr 1 21:57:46 node01 sshd[1024]: Received disconnect from 10.0.0.30: 11: disconnected by user Apr 1 21:57:46 node01 sshd[1022]: pam_unix(sshd:session): session closed for user cent |
| [4] | If you'd like to separate logs for a Host, for a date, Configure like follows. |
|
[root@dlp ~]#
vi /etc/rsyslog.conf # add: define logfiles
$template Secure_log,"/var/log/secure.d/%fromhost%_%$year%%$month%%$day%.secure"
# add: specify logfiles defined above. authpriv.* -?Secure_log
[root@dlp ~]#
[root@dlp ~]# /etc/rc.d/init.d/rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] ll /var/log/secure.d total 8 -rw------- 1 root root 376 Apr 2 12:58 10.0.0.51_20150402.secure -rw------- 1 root root 368 Apr 2 12:59 dlp_20150402.secure |