[SOLVED] syslog remote logging with rsyslog server

Chenchu · 09-17-2011, 11:01 AM

hello,

I'm running 2 machines, one Redhat 6 and one Centos 5.
the Redhat machine runs rsyslog, and it functions as the server
and the Centos 5 runs syslog and functions as the client.

here is what I changed on the /etc/rsyslog.conf @ REDHAT:

Code:

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

and that's what I changed on the /etc/syslog.conf @ CENTOS:

Code:

*.info                             @192.168.0.6

192.168.0.6 is Redhat's ip.

Now when I tested it with SELinux it looks like SELinux blocks the syslog daemon from contacting the rsyslog server, so I disabled SELinux but it still not working. any idea's?

anomie · 09-17-2011, 11:06 AM

Have you restarted the syslog service on both hosts after the changes? And how are you testing? Try something like (on the CentOS host):

Code:

$ logger -p kern.info 'Just me testing'

If that is not appearing in the RHEL6 logs, are you filtering inbound traffic on that host? You'll need to open up UDP 514 to at least allow from the CentOS host's IP.

Chenchu · 09-17-2011, 11:34 AM

Thank you for the quick answer.

I did restart both syslog daemons, but I forgot to shutdown the firewall & selinux on the server side (Redhat).

After doing so, tested it and it works

thanks again.

unSpawn · 09-17-2011, 01:34 PM

Quote:

Originally Posted by Chenchu

I forgot to shutdown the firewall & selinux on the server side (Redhat).

Even for testing disabling the firewall is completely unnecessary: just punch the right source / destination hole through the firewall. The same goes for SELinux: if it has any effect on Rsyslog then you'll find clues and remedies in /var/log/messages and /var/log/audit/audit.log.