Centralized Logs By RSyslog

What’s Syslog?

Syslog server is a server for centralizing logs that both enterprise and small businesses using native solution or third-party solution for our log centralization.

When you have syslog server in your environment, there is no concern about finding root causes even when you are faced with critical hardware problem.

Because you have your logs on another storage or path or devices and you can look at them to find root cause. 

There is many third-party syslog server that you can install on Windows, Linux and also deploy as virtual appliance.

But we want to configure our syslog server by using RSYSLOG which it’s installed on all RedHat based distribution by default.

Test Scenario

We’ll use RSYSLOG 5.8.10 and RHEL 6.6 for our test scenario.

In this scenario, we need to monitor application log files and forward log messages to syslog server which it’s a RHEL server.

You need to add some configuration on client and also add some on remote host.

Please follow the below instruction to monitoring a file and send messages to Syslog server.

Please consider that, the scenario is based on rsyslog and not syslog, so you should have rsyslog installed on both client and server and you can’t do this scenario on RHEL 5.x or earlier. Because RHEL 5.x and earlier has syslog not rsyslog.

Client Configuration

Rsyslog service is enabled by default but check the service status as first step for both client and server:

chkconfig rsyslog on

Then, you should edit your rsyslog.conf (/etc/rsyslog.conf) and add the below configuration.

Step 1: Adding file monitoring module:

$ModLoad imfile

Add it after default modules.

Step 2: You need to add a directory as working directory and define permissions for that:

$WorkDirectory /var/lib/rsyslog # Where to place spool files - Replace your directory with that
$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root

Also adding queue configuration is strongly recommended. That’s help you when rsyslog server is not reachable on network:

$FileOwner root
$FileGroup root
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup root

Step 3: Adding some sections to monitor your log files, you should add it for each log file:

$InputFileName /Change-This-Path-To-Log-File
$InputFileTag YourTAG
$InputFileStateFile StateFileName
$InputFileSeverity info
$InputFileFacility local1

Step 4: As you can see, we have added “local1” as facility, so you should filter that to one of default rule to preventing logging local1 messages to /var/log/message:

*.info;mail.none;authpriv.none;cron.none;local1.none                /var/log/messages

Add local1.none to this rule.

Step 5: Adding the below line after file monitoring sections to send your log files to remote host:

local1.*                                @@x.x.x.x

The line will ask rsyslog to send log message to the server via TCP.

If you want to send them via UDP, remove one of “@” characters.

Final step: restart rsyslog service:

service rsyslog restart

Server Configuration

You need to deploy and configure another server as RSYSLOG server.

You can choose TCP or UDP protocol or both for receiving log messages.

At first step, you need to choose and enable protocol:

$ModLoad imtcp

The line will enable TCP connection.

Step 2: We need some templates to store our messages with specific format:

$template WindowsServer,"/syslog/WindowsServer/%$YEAR%-%$MONTH%-%$DAY%-message.log"

The above line will store every single message at defined path and create a file like this:


We’ll use the templates in our rules, so the templates should define before rules.

Step 3: Now, rules but we have to write rule sets instead of simple rules to preventing processing messages by local rules, the rule set will work on received messages from network and leave local message logs:

$Ruleset remote
# Rules to find and store messages
:syslogtag, isequal, "YourTAG"  -?WindowsServer
# Bind ruleset to tcp listener
$InputTCPServerBindRuleset remote
# And activate it:
$InputTCPServerRun 514

Also you can write rules with “if” statements:

if fromhost-ip == ‘x.x.x.x’ and syslogtag == 'YourTAG' then -?WindowsServer

If security is important to you, add the below line to prevent receiving messages from unauthorized addresses:

$AllowSender TCP, x.x.x.x

Replace “x.x.x.x” with your client IP address or IP range.

Final step:

Restart rsyslog service.


Now, you will receive log messages and you can configure any other client same as the client that we’ve configured.

I’ll explain “Log Rotate” in the next post.

Davoud Teimouri

Professional blogger, vExpert 2015/2016/2017/2018/2019/2020/2021/2022/2023, vExpert NSX, vExpert PRO, vExpert Security, vExpert EUC, VCA, MCITP. This blog is started with simple posts and now, it has large following readers.

Leave a Reply

Your email address will not be published. Required fields are marked *