Checking logs is an important activity to see what’s happening on your Linux servers, especially when you are trying to locate an issue. It easy when you are just managing 2, 3 servers but what to do when you are handling 50 or 100 servers?
That’s when Centralized log management comes into the picture. We can sync all the Linux server logs (auth logs, cron logs, syslogs, etc) to a single Linux server so that we have access to logs of all the servers, whether 1 or 100, on a single server & when we are required to check logs, we will just login to a single server & will have access to logs from all servers.
This is also useful when you don’t plan to give access to servers to all the individuals but we can just give access to a centralized logs server & they can see logs from that single machine only.
In this tutorial, we will learn to setup the Syslog server In CentOS machines & ubuntu machines for centralized log management. This setup can be used for even hundreds of servers but for the purpose of this tutorial, we will be using only two servers, i.e.,
1- Centralized log server or main server
2- A client-server
Recommended Read: Important Linux Log Files to monitor to identify issues
Also Read: Analyzing Webserver logs with Logstalgia
Let’s start with the setup of the Syslog server on the main server.
Setup Syslog server on the Ubuntu/CentOS server (Centralized logs server)
Firstly, we need to install the rsyslog service on our system. This can be installed using the following command on our system,
# yum install rsyslog -y
For Ubuntu machines, use the following command,
$ sudo apt install rsyslog -y
Once the package has been installed, we can start configuring the rsyslog service using the configuration file,
# vim /etc/rsyslog.conf
Look for the following lines and uncomment them, to look like,
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Similarly, look for these lines as well to uncomment them,
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Now save the file & exit. Next, we need to restart the rsyslog service to implement the changes,
# systemctl restart rsyslog
We have actually enabled port 514 on both TCP & UDP, this port will be used to receive the logs from all the servers. Next, we will move to our client-server.
Setup Syslog server on Client machines (Ubuntu/CentOS)
The configuration that we are about to make can be made on all the clients that we have. We will start by installing rsyslog on client machines,
# yum install rsyslog -y
For Ubuntu machines, use the following command,
$ sudo apt install rsyslog -y
Now open the rsyslog configuration file to make the changes,
# vim /etc/rsyslog.conf
Now at the end of the file, add the following lines,
cron.none;*.info;mail.none;authpriv.none @10.10.10.10:514
Now save the file and exit. Here we have entered the files that are to be sent to centralized log servers & then we have mentioned the centralized log server IP address with the port number.
To implement the changes made on client machines, we need to restart the rsyslog service,
# systemctl restart rsyslog
This was it, now all the mentioned log files will be sent to a centralized log server and a local copy will also be maintained.
Checking the logs of servers
Login to your centralized log server i.e. main server & go to the log folder,
# cd /var/log
Here, we can see all the logs in the file named ‘messages’
# tail -f /var/log/messages
That’s it, this completes our tutorial on how to setup a Syslog server for Centralized Logs management on Ubuntu & CentOS servers. If you are facing any issues while setting this up or have any other questions regarding this tutorial, you can contact us using the comment box below.
We are giving you exclusive deals to try Linux Servers for free with 100$ credit, check these links to claim your 100$,
DigitalOcean - 100$ free credit & Linode - 100$ free credit
Check some Exclusive Deals, HERE.
Also, check out DevOps Book You should read section.