I wanted to have a cisco device send it’s logs to a Centos box for troubleshooting. I just wanted to do a “tail -f” against the error logs. Seems that syslog is now rsyslog in Centos 6. To setup rsyslog to accept syslog logs from other devices, you need to:
1. uncomment out the following lines (not the description lines, the ones that start with “$”)
# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
2. Add a line or two like these below to say where you want the logs written:
:fromhost-ip,startswith,’192.168.1.’ /var/log/remote.log
& ~
:fromhost-ip,isequal,”192.168.1.33″ /var/log/servername.log
& ~
3. service restart rsyslogd
4. add a hole in iptables for 514 (UDP and TCP)
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 514 -j ACCEPT
5. service iptables restart
6. create a new logrotate.d config file in /etc/logrotate.d:
/var/log/remote.log
{
daily
rotate 5
missingok
notifempty
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}
Hi
Thanks for the very useful post. I followed your instructions and they worked great on my CentOS box. I just had one issue with the syntax for the firewall rule. Mine reads as:
iptables -A INPUT -m state –state NEW -m udp -p udp –dport 514 -j accept
I also realised that this appended the rule to my INPUT chain and appeared after a deny any protocol rule so I deleted the rule and then inserted it in the correct position (in my case rule 5):
iptables -I INPUT 5 -m state –state NEW -m udp -p udp –dport 514 -j accept
Not sure, I would have to see your whole iptables. I usually just modify the file in /etc/sysconfig/iptables and add the rule I need. Then I issue a service iptables restart. Sorry I could not be of more assistance!
Thanks, saved me a bunch of time. Thoughts:
1) The file is: /etc/rsyslog.conf
2) Suggest putting the logs entries in separate file:
/etc/rsyslog.d/remotes.conf
3) service rsyslog restart
Cheers,
Andree
Thanks for taking the time to comment. I agree with your comments below!
thank you for this. saving me time.
Very helpful for the server side! Thanks!
Now how do I send my system logging info from another CentOS box to this one? 😉
I will try and get a new post out about this soon. But I am sure you found your answer by now.
Hi, I followed the exact steps and it is not working for me, nothing is logged from my another device on to the CentOS server, is there something that I’m missing here
Firewall?
i have follwed the same , i am geeting messages from cisco 4506 switch.
but these mesages are of following type only ” %SYS-5-CONFIG_I: Configured from console by rizwan on vty0 (192.168.22.93) messages include only ”
i am not geeting other message related to interface updown, mismatch native vlan messgaes.
i have line as local7.deubug /var/log/switch.log
can anyone suggest changes so that i would get all messages on my syslog server.
Sorry, not sure.
Hi !
I have a pfsense firewall and I need to monitoring a LAN network, so I need to implement a syslog server, this will be on centos or RHEL.
I need some help please, do you know how to send logs of pfsense to a remote syslog server *linux* ?
Sorry. I have not used pfsence. I believe all you would need to do is have it log to the local says long and that can forward? I have played with it in a while