Comments on Building A Central Loghost On CentOS And RHEL 5 With rsyslog

Building A Central Loghost On CentOS And RHEL 5 With rsyslog Gathering log messages is important. In a lot of situations you'll want to store all entries of logfiles on another server. If a server crashes or gets hacked you want to be able to browse through logfiles from this machine and you want to be sure these log files are not altered in any way. This can be accomplished using a central logserver that receives messages from all other hosts. This howto describes rsyslog putting log messages in one file per day per remote host. Rsyslog is the current standard in RHEL6 and available as a package in the current package streams in RHEL 5.5 (and CentOS 5.5). Setting up rsyslog is pretty simple. It all comes down to a single config file but (there is always a but) every setting needs some planning.

3 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Sebastien Carrillo
Reply  

It is really easy to use tcp. Just load the right module and use @@host instead of @host.

I had to implement rsyslog for a customer, and we found out that many logs were losts when using only udp, even with tcp some are lost if you don't use spool queues on the sending host.

 I don't have the exact syntax to give examples here (you don't do this every day right?) but it is really easy to find howtos on the rsyslog website.

 

By: Anonymous
Reply  

This did not work for me:

$source == 'hostname '

but this did:

$fromhost == 'hostname'

By: J. D. Jones
Reply  

Good Morning,

Under "We could add some liines like this:" the author says that "*.info;mail.none;authpriv.none;cron.none" means "All processed messages with the info severity and all mail, authpriv, cron facility will be logged in the file".

For RedHat 5.7, my tests imply that "*.info;mail.none;authpriv.none;cron.none" means "All processed messages with the info severity EXCEPT those for mail, authpriv, cron facility will be logged in the file".  (Later entries in the rsyslog.conf file direct mail, authpriv, and cron to separate files).

If the author's statement was an oversight, would s/he mind correcting it?  Or, if it is peculiar to CentOS 5.5 or RedHat 5.5, would s/he mind reiterating that or possibly adding a comment regarding the altered meaning of severity none in later versions? 

Many thanks for your time, patience, and consideration,

J.D. Jones