How to Create a Centralized Log Server with Rsyslog in CentOS/RHEL 7

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Matei Cezar

I'am a computer addicted guy, a fan of open source and linux based system software, have about 4 years experience with Linux distributions desktop, servers and bash scripting.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

17 Responses

  1. SDB says:

    I have added below in my /etc/rsyslog.conf :

    $template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
    *.* ?RemoteLogs &

    But after restarting rsyslog service status is showing below error :

    invalid character in selector line – ‘;template’ expected [v8.24.0-34.el7]
    error during parsing file /etc/rsyslog.conf, on or before line 23: errors occu…2207 ]

  2. SDB says:

    Great tutorial thanks.

  3. Gilroy says:

    awesome blog

  4. Rob Ramsey says:

    You referenced TCP twice in your firewall statement. One of those should be UDP.

  5. david says:

    rsyslog syntax has changed somewhat since this article was written. The "~" character has been deprecated in favor of STOP.

    The rsyslog developers also recommend a statement like the one below on the client to forward records.

    *.* action (type="omfwd" target="" port="514" protocol="tcp"
                       queue.type="linedList" queue.size="10000)

    The problem is inertial, and many of the deprecated methods are listed on websites. There doesn’t appear to be a single good website with the new methods listed.

  6. Huan says:

    It seems in v8.33.1 there are some changes:

    $template RemoteLogs,"/logs/%HOSTNAME%/%PROGRAMNAME%.log"
    *.* ?RemoteLogs

    When I restart Syslog server I got:

    Shutting down system logger: [ OK ]
    Starting system logger: rsyslogd: error during config processing: STOP is followed by unreachable statements! [v8.33.1 try ]
    [ OK ]

  7. soph says:

    Hi, I tried your directives but they just caused an error. Any ideas?

    # /usr/lib/rsyslog/rsyslogd -N 1

    rsyslogd: version 8.4.2, config validation run (level 1), master config /etc/rsyslog.conf
    rsyslogd: invalid character in selector line – ‘;template’ expected
    rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 13: errors occured in file ‘/etc/rsyslog.conf’ around line 13 [try ]

    $ModLoad imsolaris # for Solaris kernel logging
    $ModLoad imtcp
    $InputTCPServerRun 514
    $ModLoad # provides UDP syslog reception
    $UDPServerRun 514 # start a UDP syslog server at standard port 514
    $UDPServerAddress * # listen to all IP addresses
    $template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
    . ?RemoteLogs & ~
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $template FromIp,”/var/log/%FROMHOST-IP%.log”
    . ?FromIp & ~

  8. Matei Cezar says:

    The point 5 code lines should shoud have the following conetent:

    $template RemoteLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
    *.* ?RemoteLogs

    and the next template:

    $template FromIp,”/var/log/%FROMHOST-IP%.log”
    *.* ?FromIp

  9. IWO says:

    Hellow Matei:

    # mkdir /var/log/rsyslog
    # cp -p /etc/rsyslog.conf	/etc/rsyslog.conf.original
    # vi /etc/rsyslog.conf
    $template RemoteLogs,"/var/log/rsyslog/%HOSTNAME%/%PROGRAMNAME%.log"
    . ?RemoteLogs & ~

    netstat’s deprecation <– in Centos 7 from minimal Install

    Apparently in CentOS 7 netstat, which is part of the package net-tools has been officially deprecated, so you should be using ss (part of the package iproute2), going forward.

    # yum provides /usr/sbin/ss		OR		# yum whatprovides /usr/sbin/ss
    Complementos cargados:fastestmirror
    Loading mirror speeds from cached hostfile
    iproute-3.10.0-74.el7.x86_64 : Advanced IP routing and network device configuration tools
    Repositorio        : @base
    Resultado obtenido desde:
    Nombre del archivo    : /usr/sbin/ss
    # ss -tulpn | grep rsyslog
    udp    UNCONN     0      0   *:514     *:*    users:(("rsyslogd",pid=10339,fd=3))
    udp    UNCONN     0      0   :::514    :::*   users:(("rsyslogd",pid=10339,fd=4))
    tcp    LISTEN     0      25  *:514    *:*    users:(("rsyslogd",pid=10339,fd=5))
    tcp    LISTEN     0      25  :::514    :::*   users:(("rsyslogd",pid=10339,fd=6))
    # getenforce
    # semanage -a -t syslogd_port_t -p udp 514	   <-- ERROR
    # semanage port -a -t syslogd_port_t -p udp 514	   <-- Sintaxis OK
    bash: semanage: no se encontró la orden		   <-- in Centos 7 
    # yum -y install policycoreutils-python
    # yum whatprovides /usr/sbin/semanage
    Complementos cargados:fastestmirror
    Loading mirror speeds from cached hostfile
    policycoreutils-python-2.5-11.el7_3.x86_64 : SELinux policy core 
    python utilities
    Repositorio        : @updates
    Resultado obtenido desde:
    Nombre del archivo    : /usr/sbin/semanage
    # semanage port	-a -t syslogd_port_t -p udp 514
    ValueError: El puerto udp/514 ya está definido		<-- Is it OK?
    # semanage port -a -t syslogd_port_t -p tcp 514
    ValueError: El puerto tcp/514 ya está definido		<-- Is it OK?
    # semanage port -l| grep syslog			<-- Is it OK?
    syslog_tls_port_t              tcp      6514
    syslog_tls_port_t              udp      6514
    syslogd_port_t                 tcp      601
    syslogd_port_t                 udp      514, 601
    # firewall-cmd --get-default-zone
    public						<-- Is it OK?
    # firewall-cmd --permanent --add-port=514/tcp
    # firewall-cmd --permanent --add-port=514/udp
    # firewall-cmd --reload
    # firewall-cmd --list-all
    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: ens33
      services: dhcpv6-client ssh
      ports: 514/tcp 514/udp	<-- Is it OK?
      masquerade: no
      rich rules: 


  10. Mauro Formigoni Junior says:

    There is a little typo on Step 1, probably resulted of copy-paste.
    The command to start rsyslog is # systemctl START rsyslog.service instead of STATUS.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.