CentOS 6: Install Remote Logging Server (rsyslog)

In my office network, we have a lot of small devices like router and switches in our environment. My boss wants me to have a report on all of our network device for auditing purposes. To accomplish this objective, I need to have a server which run as logging server, accepting various type of logging from several devices. This method will ease up my auditing trail in one centralized location.

I will use my development server which run on CentOS to receive logs from my Mikrotik router, 192.168.0.1 as picture below:

rsyslog

I am using following variables:

Rsyslog OS: CentOS 6.0 64bit
Rsyslog Server IP: 192.168.0.160
Router hostname: router.mynetwork.org
Router IP: 192.168.0.1

Rsyslog Server

1. Install Rsyslog package:

$ yum install rsyslog -y

2. Make sure you have following line uncommented in /etc/rsyslog.conf:

$ModLoad imuxsock.so
$ModLoad imklog.so
 
$ModLoad imudp.so
$UDPServerRun 514
 
$ModLoad imtcp.so
$InputTCPServerRun 514
 
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
 
*.info;mail.none;authpriv.none;cron.none /var/log/messages
 
authpriv.* /var/log/secure
 
mail.* -/var/log/maillog
 
cron.* /var/log/cron
 
*.emerg *
 
uucp,news.crit /var/log/spooler
 
local7.* /var/log/boot.log
 
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24
$AllowedSender TCP, 192.168.0.1

3. We need to add following rules into /etc/rsyslog.conf so logs received from the router will be output into a file called /var/log/router.log:

:fromhost-ip,isequal,"192.168.0.1"                      /var/log/router.log

There are a lot of options you can use to define your remote logging rules, which you can refer to this page: http://www.rsyslog.com/doc/property_replacer.html

4. Open firewall port 514 on TCP and UDP:

$ iptables -A INPUT -m tcp -p tcp --dport 514 -j ACCEPT
$ iptables -A INPUT -m udp -p udp --dport 514 -j ACCEPT

5. Restart Rsyslog daemon to apply the configuration:

$ service rsyslog restart

6. We also need to rotate this log file so it will need eating up the server’s disk space. Create a new text file called router under /etc/logrotate.d/ directory:

$ vim /etc/logrotate.d/router

And add following line:

/var/log/router.log
{
    daily
    rotate 5
    missingok
    notifempty
    sharedscripts
    postrotate
    /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Router (Rsyslog Client)

1. Mikrotik router supports remote logging. I just need to login into the Winbox > System > Logging and configure Actions as screenshot below:

log1

2. The next thing, is we need to create the rules on which logging level do we want to be sent to the rsyslog server. Go to Winbox > System > Logging and configure Rules as screenshot below:

log2

Testing

Now, the router should send the log remotely to the rsyslog server and we can check the router logs by running following command:

$ tail -f /var/log/router.log
 
Jan 8 17:23:28 192.168.0.1 system,info log action changed by admin
Jan 8 17:26:09 192.168.0.1 system,info filter rule changed by admin
Jan 8 17:26:09 192.168.0.1 system,info filter rule changed by admin
Jan 8 17:26:23 192.168.0.1 system,info PPP AAA settings changed by admin
Jan 8 17:26:40 192.168.0.1 system,info L2TP Server settings changed by admin
Jan 8 17:26:49 192.168.0.1 system,info filter rule changed by admin
Jan 8 17:26:50 192.168.0.1 system,info filter rule changed by admin

 

 

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *