Remote Syslog Server on CentOS 7 / RHEL 7
I have a customer who doesn’t have a syslog server configured in his vSphere environment. I first recommended we install vRealize Log Insight, it’s a great product and has ton of insightful information when used with vCenter, vSphere and NSX. But the customer didn’t want to worry about licensing, so we decided to stand up a CentOS rsyslog server to show the power of having a centralized syslog. This is especially true for NSX installations, I mean using syslog in the DFW alone will save a ton of troubleshooting time.
This article assumes you know how to use vi or something similar in the Linux shell. Here we go..
Once you have a new CentOS 7 virtual machine deployed, install open-vm-tools and rsyslog.
| [root@stlsyslog ~]# yum install open-vm-tools rsyslog |
Edit the rsyslog.conf file
| [root@stlsyslog ~]# vi /etc/rsyslog.conf |
And UN-comment (remove the #) from the syslog input module and ports for both udp and tcp. Save and close vi.
| # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 |
We now need to start rsyslog
| [root@stlsyslog ~]# systemctl start rsyslog.service
<OR> [root@stlsyslog ~]#service rsyslog start |
Now check that it is running and listening on the correct ports.
| [root@stlsyslog ~]# service rsyslog status |
And that its listening!
| [root@stlsyslog ~]# netstat -antup | grep 514 |
Syslog is now enabled and running, however by default CentOS has the firewall enabled. So issue the following commands to allow for tcp/514 and udp/514 incoming. But first check if its running
| [root@stlsyslog ~]# firewall-cmd –state |
If it is running, check for the active zones in firewalld
| [root@stlsyslog ~]# firewall-cmd –get-active-zones |
Ok, in my case, the firewall is running and the only active zone is the default public zone. So lets allow for tcp/514 and udp/514 incoming.
| [root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/tcp
[root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/udp |
Now reload the firewall so these settings take effect.
| [root@stlsyslog ~]# firewall-cmd –reload |
Now configure vCenter, vSphere, NSX Manager, everything to log to your new Remote Syslog Server. Then verify you have incoming.
| [root@stlsyslog ~]# tail -f /var/log/messages |
Hope this got you going on the rsyslog train.
No Comments
Add Comment