Server Logs are wealth of useful information. Every SysAdmin knows it. Logs act as our only mean to troubleshoot critical issues, when nothing else helps. Logs are so important that they must be backed up properly & efficiently. While every Linux distribution has this facility built-in, its always good to have a centralised log server that captures the logs from all other client nodes. It servers many purposes. It acts as a central point of contact whenever we need to check the logs. No need to login to individual servers. It also reduces the load on storage media of individual servers since all the logging is recorded on one central server with huge storage 🙂 Lets learn how to setup our own Centralised Log Server on Linux. I have shown using Ubuntu but same applies to Red Hat based servers as well.
Lab Description : –
Log Server – 192.168.0.50 running Ubuntu 14.04
Log Client Node – 192.168.0.51 running Ubuntu 14.04
Server Configuration : –
Enable UDP/TCP port.
/etc/rsyslog.conf file. There are properties for UDP & TCP under MODULES directive. Uncomment both of them. It looks like below after uncommenting. 514 is the port number. This will enable UDP/TCP communication from clients to the server.
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Define template for the logs.
The template defines the filename & location of the logs. Just above GLOBAL directive, add these lines to define a template.
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" * *.* ?RemoteLogs & ~
1st line is self-explanatory. It defines what will be the name & location of log-file.
2nd line tells the
rsyslog daemon to apply this template to all the log-files.
3rd line stops the older logging & enables this new logging.
Restart rsyslog daemon.
service rsyslog restart
Ensure your client nodes can communicate with the log server. Adjust firewall to allow UDP/TCP port 514 if needed.
Edit configuration file.
We only need to define the IP address or FQDN of our log server in the
/etc/rsyslog.conf file. So open the file & add below line to the end. No explanation needed here, right? 😉 It is the IP of log server & UDP/TCP port.
#Defining the Central Log Server *.* @192.168.0.50:514
After this, restart the rsyslog daemon.
service rsyslog restart
You will see new directories inside
/var/log with names of your client(s). Inside these, there will be many log files with their respective program names like
drwx------ 2 syslog syslog 4096 jul 6 09:48 shashank-server/ drwx------ 2 syslog syslog 4096 jul 6 09:47 shashank-client/
root@shashank-server:/var/log# ll shashank-server/ 50mounted-tests.log avahi-autoipd(eth0).log gnome-keyring-daemon.log pkexec.log sudo.log accounts-daemon.log avahi-daemon.log jenkins.log polkitd(authority=local).log su.log acpid.log colord.log kernel.log polkitd.log udisksd.log anacron.log cracklib.log lightdm.log postfix.log useradd.log AptDaemon.log cron.log ModemManager.log pulseaudio.log whoopsie.log AptDaemon.PackageKit.log CRON.log mtp-probe.log rsyslogd-2207.log xinetd.log AptDaemon.Trans.log crontab.log NetworkManager.log rsyslogd-2307.log AptDaemon.Worker.log dbus.log ntpdate.log rsyslogd.log audispd.log dhclient.log os-prober.log rtkit-daemon.log auditd.log failsafe.log passwd.log sshd.log