Configure rsyslog Server on Fedora

It can be very beneficial for system administrators and network administrators, especially, to log system messages from other machines on the network to a centralized hub. Fedora 20 uses rsyslog as the default syslogd service; this allows administrators to configure remote logging. I'll be detailing the necessary configuration steps of rsyslog in Fedora 20 to allow logging messages from a DD-WRT router. This will entail
  • Edit /etc/rsyslog.conf
  • Set up firewall rule to allow incoming connection to server
  • Configure DD-WRT router to send syslogd messages to our server

rsyslog server

Our server will be the Fedora 20 machine. There are two configuration files in the /etc/ directory that are of interest to us:
However, the latter file is not useful anymore as it states:
# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
That means our configuration options are defined in /etc/rsyslog.conf alone. In particular, we're going to want to uncomment
$ModLoad imtcp
$InputTCPServerRun 514
to direct rsyslog to listen on the TCP port 514 for remote messages.
Then, at the bottom of the file a block of options is given to specify the remote host:port from which to accept log messages, as well as to spool messages to disk if the remote host is down.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional
#*.* @@remote-host:514
For example, this is a working rule that accepts logs from the DD-WRT router:
# ### begin forwarding rule ###
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount 10
*.* @
# ### end of the forwarding rule ###
After you save the changes in /etc/rsyslog.conf, restart the rsyslog service
systemctl restart rsyslog.service

Firewall rule

Since the recent versions of Fedora and even RedHat7 the firewalld package is used in favor of iptables. Therefore, we will set up the firewall rule to allow listening on TCP port 514 for connections using the firewall-cmd commandline option; though, there is also a GUI available (firewall-config).
firewall-cmd --add-port=514/tcp
This is the runtime option. To make this permanent, execute
firewall-cmd --add-port=514/tcp --permanent

Configuring DD-WRT For Remote syslogd Server

 photo dd-wrt_Services_Tab_zps47a6694e.png
Note: This assumes using DD-WRT firmware v24-sp2
Using the Web interface, go to the Services tab enable syslogd and enter the rsyslog server's ip address. Please be sure you have a statically-assigned ip address to the server.
 photo dd-wrt_syslogd_option_zps68ea890f.png Verify that you have a listening socket
netstat -tunlp | grep syslog
You can test it out by ssh-ing into the router and executing
 echo "yo-Adrian" | nc
If you receive no error message you should have a funny message in your /var/log/messages file after that.

Popular posts from this blog

RHEL 7 and CentOS 7 syslog Rate Limit

EFF Announces Voting Registration Service