This page shows how to setup a CentOS 6 server to act as a rsyslog server that will accept logs from other machines and store them in specific files.

You must have a CentOS machine already set up in accordance with the the “Install CentOS 6” guide.

Install rsyslog with the following command

yum -y install rsyslog

Un-comment several lines in

/etc/rsyslog.conf

to allow the syslog server to listen on the tcp and udp port.

sed -i "s/#$ModLoad imudp/$ModLoad imudp/g" /etc/rsyslog.conf

sed -i "s/#$UDPServerRun 514/$UDPServerRun 514/g" /etc/rsyslog.conf

sed -i "s/#$ModLoad imtcp/$ModLoad imtcp/g" /etc/rsyslog.conf

sed -i "s/#$InputTCPServerRun 514/$InputTCPServerRun 514/g" /etc/rsyslog.conf

Restart rsyslog

service rsyslogd restart

Configure rsyslog to start on boot

chkconfig rsyslogd on

If you want a client machine to send data to the server, edit its

/etc/rsyslog.conf

file and, for example, make the following (where the IP address should be replaced with the actual IP address of the rsyslog server).

*.info;mail.none;authpriv.none;cron.none   @192.168.1.1

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514-j ACCEPT
iptables -A INPUT -m state --state NEW -m udp -p udp--dport 514-j ACCEPT
service iptables save
service iptables restart

firewall-cmd --permanent --zone=public --add-port=514/tcp
firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload

You may want logs from particular clients to be stored in specific files (i.e. not

/var/log/messages

).

The rsyslog site has [[http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/|a page] ] explaining how to do this.

Long story short, add the following just after

#### RULES ####

and add the following which will put all logs from 1092.168.1.1 to the file

/var/log/network1.log

if $fromhost-ip startswith '192.168.1.1' then /var/log/network1.log