Remote Syslog Server on CentOS 7 / RHEL 7

I have a customer who doesn’t have a syslog server configured in his vSphere environment.  I first recommended we install vRealize Log Insight, it’s a great product and has ton of insightful information when used with vCenter, vSphere and NSX.  But the customer didn’t want to worry about licensing, so we decided to stand up a CentOS rsyslog server to show the power of having a centralized syslog.  This is especially true for NSX installations, I mean using syslog in the DFW alone will save a ton of troubleshooting time.

This article assumes you know how to use vi or something similar in the Linux shell.  Here we go..

Once you have a new CentOS 7 virtual machine deployed, install open-vm-tools and rsyslog.

 [root@stlsyslog ~]# yum install open-vm-tools rsyslog

Edit the rsyslog.conf file

[root@stlsyslog ~]# vi /etc/rsyslog.conf

rsysuncomment

And UN-comment (remove the #) from the syslog input module and ports for both udp and tcp.  Save and close vi.

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

We now need to start rsyslog

[root@stlsyslog ~]# systemctl start rsyslog.service

<OR>

[root@stlsyslog ~]#service rsyslog start

Now check that it  is running and listening on the correct ports.

[root@stlsyslog ~]# service rsyslog status

moresyslog

And that its listening!

[root@stlsyslog ~]# netstat -antup | grep 514

netstat-syslog

Syslog is now enabled and running, however by default CentOS has the firewall enabled.  So issue the following commands to allow for tcp/514 and udp/514 incoming.  But first check if its running

[root@stlsyslog ~]# firewall-cmd –state

If it is running, check for the active zones in firewalld

[root@stlsyslog ~]# firewall-cmd –get-active-zones

Ok, in my case, the firewall is running and the only active zone is the default public zone.  So lets allow for tcp/514 and udp/514 incoming.

[root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/tcp

[root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/udp

Now reload the firewall so these settings take effect.

[root@stlsyslog ~]# firewall-cmd –reload

Now configure vCenter, vSphere, NSX Manager, everything to log to your new Remote Syslog Server.  Then verify you have incoming.

[root@stlsyslog ~]# tail -f /var/log/messages

rsyslog

Hope this got you going on the rsyslog train.

Tagged with:

No Comments

Add Comment

Leave a Reply

Your email address will not be published. Required fields are marked *