Syslog Configurations - savannahc502/SavC-TechJournal-SEC350 GitHub Wiki

Steps to set up a syslog server (on CentOS) and client for centralized logging

Syslog Server Configuration

  1. Network Configuration:

    • Change Network Adapter to the appropriate network.
    • Set the hostname sudo hostnamectl set-hostname <hostname>
    • Set static IP using a network management tool (e.g., nmtui):
      • IP Address:
      • Gateway/DNS:

  2. User Setup:

    • Change the root password passwd root
    • Add a new sudo user
sudo adduser <username>
sudo usermod -aG wheel <username>
  1. Restart Network
sudo systemctl restart network
  1. Install and Enable rsyslog
sudo yum install -y rsyslog
sudo systemctl enable --now rsyslog
sudo systemctl status rsyslog
  1. Configure Firewall
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload
sudo firewall-cmd --list-all
  1. Modify rsyslog Configuration:
    • Edit /etc/rsyslog.conf to receive syslog messages over ports 514:
sudo nano /etc/rsyslog.conf
  • Uncomment the lines for TCP and UDP.
  • Restart rsyslog service:
sudo systemctl restart rsyslog
  1. Verify rsyslog Listening
sudo netstat -tupan | grep 514

Syslog Client Configuration

  1. Network Configuration:

    • Change Network Adapter to the appropriate network.
    • Set the hostname sudo hostnamectl set-hostname <hostname>
    • Set static IP using a network management tool (e.g., nmtui):
      • IP Address:
      • Gateway/DNS:

  2. User Setup:

    • Change the root password passwd root
    • Add a new sudo user
sudo adduser <username>
sudo usermod -aG wheel <username>
  1. Restart Network
sudo systemctl restart network
  1. Install and Enable rsyslog
sudo yum install -y rsyslog
sudo systemctl enable --now rsyslog
sudo systemctl status rsyslog
  1. Create rsyslog Configuration
    • Create /etc/rsyslog.d/<config file>: 
sudo nano /etc/rsyslog.d/<config file>
  • Add the following line to send syslog messages to the syslog server:
user.notice @<server IP>
  • Restart rsyslog service:
sudo systemctl restart rsyslog
  1. Test Syslog Messaging
    • On the syslog server, monitor the log messages:
sudo tail -f /var/log/messages
  • On the syslog client, send a test syslog message:
logger -t test "Test message from client to server"
⚠️ **GitHub.com Fallback** ⚠️