How to configure centralized syslog server on CentOs machine?

In this page

  • How to configure a centralized syslog server on CentOs
  • How to monitor rsyslog files?

How to configure a centralized syslog server on CentOs

Analyzing syslogs generated by the Linux/Unix systems and other network devices is one of the important activities of a security admin. To perform this efficiently, admins often centralize the syslog collection. This document elaborates the steps to configure a CentOS system as a centralized rsyslog collection server.

  • Rsyslog is installed on CentOS 8 by default. To check this, enter the following command in your terminal,
    • $ systemctl status rsyslog
  • If you don't find the status of rsyslog as Active: active (running), enter the following command in your terminal to install it,
    • $ sudo yum install rsyslog.
  • To receive syslogs from other devices over UDP and TCP protocol, you need to uncomment the appropriate lines in /etc/rsyslog.conf to enable TCP and UDP connections,
    • To use UDP protocol, uncomment the following lines:
      • module(load="imudp") #needs to be done just once
      input(type="imudp" port="514")
    • To use TCP protocol, uncomment the following lines:
      • module(load="imtcp") #needs to be done just once
      input(type="imtcp" port="514")
      Note:

      Port 514 is the default port of UDP and TCP. At anytime, you can change this port number.

  • Save the configuration and exit.
  • Ensure that client machines can identify and communicate with the configured rsyslog CentOS server. To enable communication, you need to open the port 514 on your firewall using the following command:
    • $ sudo firewall-cmd --add-port=514/tcp --zone=public --permanent
  • Reload the firewall to save changes using the below command,
    • $ sudo firewall-cmd --reload
  • Now restart the rsyslog CentOS server and enter the following command to check if Rsyslog server is listening on port 514,
    • $ sudo netstat -pnltu
  • You will find that the state of port 514 is set to LISTEN.

You have successfully configured the centralized Syslog collection server that runs on CentOS. To view the logs collected in real time, run the following command in your rsyslog server:

$ tail -f var/log/messages.

How to monitor rsyslog files?

It is essential to monitor syslog files as they can provide valuable insights about network activities. They can provide all information on any event, like the IP involved, the timestamp of the event, the activity carried out and critical changes made to any system. Manually monitoring rsyslog files can be tedious and ineffective in terms of analyzing the syslogs. Monitoring the rsyslog files using a log management solution can provide in-depth analysis of your logs.

EventLog Analyzer, an effective log management solution, can collect, parse, index and analyze the voluminous rsyslog data and generate intuitive reports. Any malicious activity will be flagged as a threat and a real-time alert can be raised via SMS/email to notify IT security admins of an impending attack.

What's next?

EventLog Analyzer can work seamlessly with your CentOS syslog server to provide real-time monitoring and comprehensive analysis.

DownloadGet a product tour