======Install RSyslog======

This page shows how to setup a CentOS 6 server to act as a rsyslog server that will accept logs from other machines and store them in specific files.
=====Prerequisites=====
You must have a CentOS machine already set up in accordance with the the "[[Install CentOS 6]]" guide.
=====Install Rsyslog=====
Install rsyslog with the following command<code>yum -y install rsyslog</code>
=====Configure Rsyslog=====
Un-comment several lines in <code>/etc/rsyslog.conf</code> to allow the syslog server to listen on the tcp and udp port.
<code>sed -i "s/#$ModLoad imudp/$ModLoad imudp/g" /etc/rsyslog.conf</code>
<code>sed -i "s/#$UDPServerRun 514/$UDPServerRun 514/g" /etc/rsyslog.conf</code>
<code>sed -i "s/#$ModLoad imtcp/$ModLoad imtcp/g" /etc/rsyslog.conf</code>
<code>sed -i "s/#$InputTCPServerRun 514/$InputTCPServerRun 514/g" /etc/rsyslog.conf</code>
Restart rsyslog
<code>service rsyslogd restart</code>
Configure rsyslog to start on boot
<code>chkconfig rsyslogd on</code>
=====Configure Client=====
If you want a client machine to send data to the server, edit its <code>/etc/rsyslog.conf</code> file and, for example, make the following (where the IP address should be replaced with the actual IP address of the rsyslog server).
<code>*.info;mail.none;authpriv.none;cron.none   @192.168.1.1</code>
=====Edit Firewall=====
====CentOS 6====
<code>iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514-j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp--dport 514-j ACCEPT
service iptables save
service iptables restart</code>

====CentOS 7====
<code>firewall-cmd --permanent --zone=public --add-port=514/tcp
firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload</code>
=====Configure Specific File=====
You may want logs from particular clients to be stored in specific files (i.e. not <code>/var/log/messages</code>).

The rsyslog site has [[http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/|a page] ] explaining how to do this.

Long story short, add the following just after <code>#### RULES ####</code> and add the following which will put all logs from 1092.168.1.1 to the file <code>/var/log/network1.log</code>
<code>if $fromhost-ip startswith '192.168.1.1' then /var/log/network1.log</code>