Support
 
Support Get Quote
 
 
 
 
Syslog

How to configure centralized syslog
server on CentOs machine?

3 min read
 

Analyzing syslogs generated by the Linux/Unix systems and other network devices is one of the important activities of a security admin. To perform this efficiently, admins often centralize the syslog collection. This document elaborates the steps to configure a CentOS system as a centralized rsyslog collection server.

  1. Rsyslog is installed on CentOS 8 by default. To check this, enter the following command in your terminal,
    $ systemctl status rsyslog
  2. If you don't find the status of rsyslog as Active: active (running), enter the following command in your terminal to install it,
    $ sudo yum install rsyslog.
  3. To receive syslogs from other devices over UDP and TCP protocol, you need to uncomment the appropriate lines in /etc/rsyslog.conf to enable TCP and UDP connections,

    1. To use UDP protocol, uncomment the following lines:
      module(load="imudp") #needs to be done just once
      input(type="imudp" port="514")
    2. To use TCP protocol, uncomment the following lines:
      module(load="imtcp") #needs to be done just once
      input(type="imtcp" port="514")

      Note: Port 514 is the default port of UDP and TCP. At anytime, you can change this port number.

  4. Save the configuration and exit.

  5. Ensure that client machines can identify and communicate with the configured rsyslog CentOS server. To enable communication, you need to open the port 514 on your firewall using the following command:
    $ sudo firewall-cmd --add-port=514/tcp --zone=public --permanent
  6. Reload the firewall to save changes using the below command,
    $ sudo firewall-cmd --reload
  7. Now restart the rsyslog CentOS server and enter the following command to check if Rsyslog server is listening on port 514,
    $ sudo netstat -pnltu
  8. You will find that the state of port 514 is set to LISTEN.

You have successfully configured the centralized Syslog collection server that runs on CentOS. To view the logs collected in real time, run the following command in your rsyslog server:

$ tail -f var/log/messages.

How to monitor rsyslog files?

It is essential to monitor syslog files as they can provide valuable insights about network activities. They can provide all information on any event, like the IP involved, the timestamp of the event, the activity carried out and critical changes made to any system. Manually monitoring rsyslog files can be tedious and ineffective in terms of analyzing the syslogs. Monitoring the rsyslog files using a log management solution can provide in-depth analysis of your logs.

EventLog Analyzer, an effective log management solution, can collect, parse, index and analyze the voluminous rsyslog data and generate intuitive reports. Any malicious activity will be flagged as a threat and a real-time alert can be raised via SMS/email to notify IT security admins of an impending attack.

You may also like

 

Interested in a
log management
solution?

Try EventLog Analyzer

Manage logs, comply with IT regulations, and mitigate security threats.

Seamlessly collect, monitor, and analyze
logs with EventLog Analyzer

Your request for a demo has been submitted successfully

Our support technicians will get back to you at the earliest.

  •  
  •  
By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

  Zoho Corporation Pvt. Ltd. All rights reserved.

Link copied, now you can start sharing
Copy