Configure rsyslog Server on Fedora

It can be very beneficial for system administrators and network administrators, especially, to log system messages from other machines on the network to a centralized hub. Fedora 20 uses rsyslog as the default syslogd service; this allows administrators to configure remote logging. I'll be detailing the necessary configuration steps of rsyslog in Fedora 20 to allow logging messages from a DD-WRT router. This will entail
  • Edit /etc/rsyslog.conf
  • Set up firewall rule to allow incoming connection to server
  • Configure DD-WRT router to send syslogd messages to our server

rsyslog server

Our server will be the Fedora 20 machine. There are two configuration files in the /etc/ directory that are of interest to us: 
/etc/rsyslog.conf
/etc/sysconfig/rsyslog
However, the latter file is not useful anymore as it states: 
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS=""
That means our configuration options are defined in /etc/rsyslog.conf alone. In particular, we're going to want to uncomment 
$ModLoad imtcp
$InputTCPServerRun 514
to direct rsyslog to listen on the TCP port 514 for remote messages.
Then, at the bottom of the file a block of options is given to specify the remote host:port from which to accept log messages, as well as to spool messages to disk if the remote host is down. 
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
For example, this is a working rule that accepts logs from the DD-WRT router: 
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount 10
*.* @192.168.1.1:514
# ### end of the forwarding rule ###
After you save the changes in /etc/rsyslog.conf, restart the rsyslog service 
systemctl restart rsyslog.service

Firewall rule

Since the recent versions of Fedora and even RedHat7 the firewalld package is used in favor of iptables. Therefore, we will set up the firewall rule to allow listening on TCP port 514 for connections using the firewall-cmd commandline option; though, there is also a GUI available (firewall-config). 
firewall-cmd --add-port=514/tcp
This is the runtime option. To make this permanent, execute 
firewall-cmd --add-port=514/tcp --permanent


Configuring DD-WRT For Remote syslogd Server

photo dd-wrt_Services_Tab_zps47a6694e.png
Note: This assumes using DD-WRT firmware v24-sp2
Using the Web interface, go to the Services tab enable syslogd and enter the rsyslog server's ip address. Please be sure you have a statically-assigned ip address to the server.
photo dd-wrt_syslogd_option_zps68ea890f.png Verify that you have a listening socket 
netstat -tunlp | grep syslog
You can test it out by ssh-ing into the router and executing 
 echo "yo-Adrian" | nc 192.168.1.2:514
If you receive no error message you should have a funny message in your /var/log/messages file after that.


Popular posts from this blog

RHEL 7 and CentOS 7 syslog Rate Limit

https://access.redhat.com/solutions/1417483 In RHEL 7 there is rate-limiting both in systemd-journald and in rsyslog's imjournal module Lower Ratelimit Interval Lower the interval for rate-limiting and increase the burst level in order to minimize the possibility of losing log messages when the threshold is reached for the specified number of messages logged within the specified interval. Rate-limiting is specific to each process, so there's usually no reason to change this. It is also inadvisable to disable this feature entirely! grep -i rate /etc/systemd/journald.conf #RateLimitInterval=30s #RateLimitBurst=1000 RateLimitInterval=10s RateLimitBurst=3000 grep -i rate /etc/rsyslog.conf #$imjournalRatelimitInterval 600 <--default $imjournalRatelimitInterval 300 $imjournalRatelimitBurst 30000 journal corruption journalctl --verify journalctl --force
Read more

EFF Announces Voting Registration Service

Image
The Electronic Frontier Foundation ( EFF ) has announced a Beta version of their ongoing project to facilitate voter registration for United States elections.  The server allows the user to text the service, HelloVote , in order to register. There is another service provided by VotePlz.org that allows citizens to: Not sure if you’re registered? No problem! We’ll check if you’re registered to vote at your current home address. Don’t have time to vote in person? You can vote by mail instead—it’s even easier! Want to vote in person? We’ll show you where your nearest polling station is and help you get there. Don’t have a stamp or a printer? That’s all right! We can mail you a form, or print a form with pre-paid postage.
Read more