Configure Centralized Logging Server on CentOS 7 (w Rsyslog) - cfloquetprojects/homelab GitHub Wiki

Introduction:

Rsyslog is a highly flexible, modular, and high-performance system for log processing.

A potential use case would be using Rsyslog to forward logs from a variety of different devices/platforms, to a centralized server, which then would use Splunks Universal Forwarder to send them to a log aggregration/visualization tool (such as Splunk, Kibana, etc.)

However for the purposes of this lab we will be combining our Splunk application host and centralized logging server into one, simply named logger01.

Pre-Flight Check:

Ensure you have a properly updated, networked, and patched CentOS 7 Minimal box.

Configure Rsyslog:

CentOS 7 Minimal comes pre-baked with rsyslog installed, so all we need to do is allow the necessary firewall ports to allow incoming logs, and configure them to be formatted correctly.

We will start by adding a .conf file inside of /etc/rsyslog/ to define how we would like our logs from other systems to be parsed.

I have uploaded an example .conf file here that does a good job of breaking down important fields.

Let's add the firewall rules using firewall-cmd now with the following:

$ sudo firewall-cmd --add-port=514/udp --permanent
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all

After adding our .conf file and altering the existing firewall rules, we should now be able to test whether our rsyslog server is listening with the following:

$ systemctl restart rsyslog
$ sudo netstat -tupan | grep 514
udp        0      0 0.0.0.0:514             0.0.0.0:*       3792/rsyslogd
udp6       0      0 :::514                  :::* 

Configure Log Forwarding from Vyos, Ubuntu, and CentOS hosts:

vyos@fw-cfloquet# configure vyos@fw-cfloquet# set system syslog host 172.16.50.5 facility authpriv level info