23.5. Configuring rsyslog on a Logging Server

The rsyslog service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See Example 23.12, “Reliable Forwarding of Log Messages to a Server” for information on client rsyslog configuration.
The rsyslog service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in Red Hat Enterprise Linux 7. If required, to ensure that it is, enter the following command as root:
~]# yum install rsyslog
The default protocol and port for syslog traffic is UDP and 514, as listed in the /etc/services file. However, rsyslog defaults to using TCP on port 514. In the configuration file, /etc/rsyslog.conf, TCP is indicated by @@.
Other ports are sometimes used in examples, however SELinux is only configured to allow sending and receiving on the following ports by default:
~]# semanage port -l | grep syslog
syslog_tls_port_t              tcp      6514, 10514
syslog_tls_port_t              udp      6514, 10514
syslogd_port_t                 tcp      601, 20514
syslogd_port_t                 udp      514, 601, 20514
The semanage utility is provided as part of the policycoreutils-python package. If required, install the package as follows:
~]# yum install policycoreutils-python
In addition, by default the SELinux type for rsyslog, rsyslogd_t, is configured to permit sending and receiving to the remote shell (rsh) port with SELinux type rsh_port_t, which defaults to TCP on port 514. Therefore it is not necessary to use semanage to explicitly permit TCP on port 514. For example, to check what SELinux is set to permit on port 514, enter a command as follows:
~]# semanage port -l | grep 514
output omitted
rsh_port_t                     tcp      514
syslogd_port_t                 tcp      6514, 601
syslogd_port_t                 udp      514, 6514, 601
Perform the steps in the following procedures on the system that you intend to use as your logging server. All steps in these procedure must be made as the root user.

Procedure 23.4. Configure SELinux to Permit rsyslog Traffic on a Port

If required to use a new port for rsyslog traffic, follow this procedure on the logging server and the clients. For example, to send and receive TCP traffic on port 10514, proceed as follows:
  1. ~]# semanage port -a -t syslogd_port_t -p tcp 10514
  2. Review the SELinux ports by entering the following command:
    ~]# semanage port -l | grep syslog
  3. If the new port was already configured in /etc/rsyslog.conf, restart rsyslog now for the change to take effect:
    ~]# service rsyslog restart
  4. Verify which ports rsyslog is now listening to:
    ~]# netstat -tnlp | grep rsyslog
    tcp        0      0 0.0.0.0:10514           0.0.0.0:*   LISTEN      2528/rsyslogd
    tcp        0      0 :::10514                :::*        LISTEN      2528/rsyslogd
See the semanage-port(8) manual page for more information on the semanage port command.

Procedure 23.5. Configuring firewalld

Configure firewalld to allow incoming rsyslog traffic. For example, to allow TCP traffic on port 10514, proceed as follows:
  1. ~]# firewall-cmd --zone=zone --add-port=10514/tcp
    success
    Where zone is the zone of the interface to use. Note that these changes will not persist after the next system start. To make permanent changes to the firewall, repeat the commands adding the --permanent option. For more information on opening and closing ports in firewalld, see the Red Hat Enterprise Linux 7 Security Guide.
  2. To verify the above settings, use a command as follows:
    ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: eth0
      sources:
      services: dhcpv6-client ssh
      ports: 10514/tcp
      masquerade: no
      forward-ports:
      icmp-blocks:
      rich rules:

Procedure 23.6. Configuring rsyslog to Receive and Sort Remote Log Messages

  1. Open the /etc/rsyslog.conf file in a text editor and proceed as follows:
    1. Add these lines below the modules section but above the Provides UDP syslog reception section:
      # Define templates before the rules that use them
      
      ### Per-Host Templates for Remote Systems ###
      $template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
      $template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
    2. Replace the default Provides TCP syslog reception section with the following:
      # Provides TCP syslog reception
      $ModLoad imtcp
      # Adding this ruleset to process remote messages
      $RuleSet remote1
      authpriv.*   ?TmplAuthpriv
      *.info;mail.none;authpriv.none;cron.none   ?TmplMsg
      $RuleSet RSYSLOG_DefaultRuleset   #End the rule set by switching back to the default rule set
      $InputTCPServerBindRuleset remote1  #Define a new input and bind it to the "remote1" rule set
      $InputTCPServerRun 10514
    Save the changes to the /etc/rsyslog.conf file.
  2. The rsyslog service must be running on both the logging server and the systems attempting to log to it.
    1. Use the systemctl command to start the rsyslog service.
      ~]# systemctl start rsyslog
    2. To ensure the rsyslog service starts automatically in future, enter the following command as root:
      ~]# systemctl enable rsyslog
Your log server is now configured to receive and store log files from the other systems in your environment.

23.5.1. Using The New Template Syntax on a Logging Server

Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
template(name="TmplAuthpriv" type="string"
         string="/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
        )

template(name="TmplMsg" type="string"
         string="/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
        )
These templates can also be written in the list format as follows:
template(name="TmplAuthpriv" type="list") {
    constant(value="/var/log/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }
This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.
To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:
module(load="imtcp")

ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="10514" ruleset="remote1")