How to Set up a Syslog server on CentOS 8

How to Set up a Syslog server on CentOS 8

How to Set up a Syslog server on CentOS 8

2022/06/24 by John
The Syslog is an important network utility to manage and review the logs. Several network devices such as routers, servers, and firewalls generate logs of the events and statuses in the network.

The Syslog server can be a physical device acting as a server, a software service, or a virtual device. Syslog server comprises a listener and a database to receive and store the data. The listener component allows the Syslog server to receive the messages whereas the database is used to store that data.

In this post, we will demonstrate the way to set up a Syslog server on CentOS 8.
How to set up a Syslog server on CentOS 8

CentOS and other Linux servers label the Syslog messages to identify the type of software that generated the message and the severity of the messages. In this section, we will demonstrate the installation as well as the configuration of the Syslog server on CentOS 8:
How to install Syslog server on CentOS 8

Syslog server is available on the official repository of CentOS 8 as rsyslog. Firstly, update the system’s packages list via the following command:
$ sudo dnf update

Now, get the latest Syslog server on CentOS 8 by issuing the following command:
$ sudo dnf install rsyslog

Text Description automatically generated
How to configure the Syslog server on CentOS 8

After installation, the Syslog server needs to be configured properly to receive and manage the logs from the client. This section provides a list of configuration steps to make use of the Syslog server:

Step 1: You can enable the UDP and TCP protocol layers on Syslog to start receiving the logs using UPD/TCP protocols. The rsyslog.conf file contains the necessary configurations of the Syslog server and it also contains the configurations for UDP/TCP permission.

The following command will edit the rsyslog.conf file using the nano editor:
$ sudo nano /etc/rsyslog.conf

For UDP: Uncomment the following lines:

Text Description automatically generated

For TCP: Uncomment the lines as shown in the following image:

Text Description automatically generated

Once the changes are performed, use “CTRL+S” and “CTRL+X” to save the file and exit the editor.

Step 2: The Syslog server listens to port#514 on the firewall. You must allow all the connections on port#514 so that the messages can be received. To do so, execute the following command:
$ sudo firewall-cmd --add-port=514/tcp --zone=public --permanent

Reload the firewall to adapt to the changes:
$ sudo firewall-cmd --reload

Step 3: Restart and enable the rsyslog service by issuing the following commands:
$ sudo systemctl restart rsyslog

$ sudo systemctl enable rsyslog


Step 4: Verify that the port#514 is open or not, you can use the following command:
$ sudo netstat -pnltu

Graphical user interface, text Description automatically generated
Text Description automatically generated

It is clear from the output that the port#514 is open for tcp/udp both.

Bonus: The /var/log/messages file contains the logs received from the clients. You can get the list of messages by getting the content of the file as follows:
$ cat /var/log/messages
Conclusion

The Syslog server is used to receive and store the logs received from the network devices such as routers, servers, and firewalls. The Syslog package is used to get the Syslog server’s access on CentOS 8. This section provides a sequential guide to set up the Syslog server on CentOS 8. First, you need to install the Syslog and its packages and then you can configure it to get the messages from the clients.