In this exercise, you
configure server2 to receive messages from remote rsyslogd processes. You
define the rsyslogd configuration on server1 to forward messages to server2 and
open a firewall port on server2 that allows for log file message reception.
1. Open a root shell on server2. Then, open the
configuration file /etc/rsyslog.conf.
2. In rsyslog.conf enable the following two lines to
enable log reception on TCP port 514:
$ModLoad imtcp
$InputTCPServerRun 514
|
[root@ipa Desktop]# grep -v "#" /etc/rsyslog.conf
$ModLoad imtcp $InputTCPServerRun 514 |
3. Close the configuration file and type systemctl
restart rsyslogd to restart the rsyslogd service. This allows the rsyslogd
process on the log server to receive messages from others.
|
[root@ipa Desktop]# systemctl restart rsyslog
[root@ipa Desktop]# systemctl status rsyslog rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Wed 2015-12-23 10:24:52 IST; 15s ago Main PID: 4624 (rsyslogd) CGroup: /system.slice/rsyslog.service +-4624 /usr/sbin/rsyslogd -n Dec 23 10:24:52 ipa.example.com systemd[1]: Starting System Logging Service... Dec 23 10:24:52 ipa.example.com systemd[1]: Started System Logging Service. |
4. Still on server2, open the firewall to accept
messages on TCP port 514, using the following two lines:
firewall-cmd
--add-port=514/tcp
firewall-cmd
--add-port=514/tcp --permanent
|
[root@ipa Desktop]# firewall-cmd --add-port=514/tcp
success [root@ipa Desktop]# firewall-cmd --add-port=514/tcp --permanent success |
5. Open a root shell on server1, and scroll down to
the end of the configuration file. Here, you find the following example
configuration line:
#*.* @@remote-host:514
This line shows how to
configure your server to forward messages to a remote server. Change this line
to read like the following to forward messages to rsyslogd on server2:
*.* @@server2.example.com:514
|
[root@server1 /]# grep -v "#" /etc/rsyslog.conf
*.* @@ipa.example.com:514 [root@server1 /]# |
6. Use systemctl restart rsyslogd to restart
the rsyslogd process and start logging to the remote server.
|
[root@server1 /]# systemctl restart rsyslog
[root@server1 /]# systemctl status rsyslog rsyslog.service - System Logging Service Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled) Active: active (running) since Wed 2015-12-23 06:01:25 CET; 15s ago Main PID: 3761 (rsyslogd) CGroup: /system.slice/rsyslog.service +-3761 /usr/sbin/rsyslogd -n Dec 23 06:01:25 server1.example.com systemd[1]: Starting System Logging Serv.... Dec 23 06:01:25 server1.example.com systemd[1]: Started System Logging Service. Hint: Some lines were ellipsized, use -l to show in full. |
7. Now Verifying IT:
Try to authenticate with root
user on server1, and enter false passwd, and try to observer the log messages
on server2.
|
[root@server1 /]# exit
logout [lisa@server1 Desktop]$ su - root Password: su: Authentication failure [lisa@server1 Desktop]$ su - Password: su: Authentication failure [lisa@server1 Desktop]$ |
|
[root@ipa log]# tail -f 100 messages
tail: cannot open ‘100’ for reading: No such file or directory ==> messages <== Dec 23 10:24:52 ipa systemd: Stopping System Logging Service... Dec 23 10:24:52 ipa systemd: Starting System Logging Service... Dec 23 10:24:52 ipa systemd: Started System Logging Service. Dec 23 10:29:24 ipa rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date. Dec 23 10:30:01 ipa systemd: Starting Session 10 of user root. Dec 23 10:30:01 ipa systemd: Started Session 10 of user root. Dec 23 06:01:25 server1 rsyslogd: [origin software="rsyslogd" swVersion="7.4.7" x-pid="3761" x-info="http://www.rsyslog.com"] start Dec 23 06:01:25 server1 systemd: Stopping System Logging Service... Dec 23 06:01:25 server1 systemd: Starting System Logging Service... Dec 23 06:01:25 server1 systemd: Started System Logging Service. Dec 23 06:02:36 server1 su: FAILED SU (to root) lisa on pts/0 Dec 23 06:02:52 server1 su: FAILED SU (to root) lisa on pts/0 |
While setting up a remote log
server, you can enable log reception over TCP and UDP. Because UDP is a
connectionless protocol, message delivery is not guaranteed.
This is an important reason
to prefer log handling over TCP. If you want to set up a server that can
receive log messages from legacy syslog compatible devices,however, you should
enable UDP log reception as well. Enabling log reception is easy; example lines
for log reception over TCP or UDP are already present. You just have to remove
the hash signs in front of the lines:
|
# Provides UDP syslog
reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog
reception
#$ModLoad imtcp
#$InputTCPServerRun 514
|
Thank you for reading.
No comments:
Post a Comment