1. What is log server?
A log server represents a central log monitoring point
on a network, to which all kinds of devices including Linux or Windows servers,
routers, switches or any other hosts can send their logs over network. By
setting up a log server, you can filter and consolidate logs from different
hosts and devices into a single location, so that you can view and archive
important log messages more easily.
On most Linux distributions, rsyslog is
the standard syslog daemon that comes pre-installed. Configured in a
client/server architecture, rsyslog can play both roles; as a syslog server rsyslog can gather logs from other devices, and as a syslog client, rsyslog can transmit its internal logs to a remote syslog server.
When
logs are collected with syslog mechanism, three important things must be taken
into consideration:
Facility level: what type of
processes to monitor
Severity (priority) level: what type of log messages to collect
Destination: where to send or
record log messages
2. What is the profile of log server?
This is also
called as rsyslog server. The requirements are given below.
(i) Package : rsyslog*
(ii) Deamon : rsyslog
(iii) Port
No. : 514
(iv) Configuration file : /etc/rsyslog.conf
3. How to configure the log server?
(i) Install rsyslog
package by # yum install
rsyslog* -y command.
(ii) Open the log server configuration and
file and
edit as per requirements.
# vim
/etc/rsyslog.conf
Go
to line no. : 15
& 16 and
uncomment on those lines. (save and
exit this file)
(iii) Restart the log server deamon in
RHEL - 6 and RHEL - 7.
# service
rsyslog restart (to restart the log server deamon in
RHEL - 6)
# chkconfig rsyslog
on (to
enable the log server deamon at next boot in
RHEL - 6)
# systemctl restart
rsyslog (to restart the log server deamon in
RHEL - 7)
# systemctl enable
rsyslog (to
enable the log server deamon at next boot in
RHEL - 7)
(iv) Verify whether the log server is
listening or not.
# netstat
-ntulp | grep 514
(v) Add the log
server service to IPtables.
# iptables -A
INPUT -p tcp
-m tcp --deport
514 -j ACCEPT (to
add the incoming port no. to Iptables in
RHEL - 6)
# iptables -A
INPUT -p udp
-m udp --deport
514 -j ACCEPT (to add the incoming port no. to Iptables in
RHEL - 6)
# iptables -A OUTPUT
-p tcp -m
tcp --deport 514
-j ACCEPT
(to add the outgoing port
no. to Iptables in
RHEL - 6)
# iptables -A
OUTPUT -p udp
-m udp --deport
514 -j ACCEPT (to add the outgoing port no. to
Iptables in
RHEL - 6)
# firewall-cmd --permanent -add-port=514/tcp (to add the 514 tcp port no. to the firewall)
# firewall-cmd --permanent -add-port=514/udp (to add the 514 udp port no. to the firewall)
# firewall-cmd --complete-reload (to reload the firewall
configuration)
4. How to configure the client system
to send log messages
to the log server?
(i) Open
the log server configuration file
by # vim /etc/rsyslog.conf command.
(ii) Go to
line no. 90 and
type as below.
*.*@ : 514
Example : *.* @172.25.9.11:514 (save and
exit this file)
(iii) Restart the
log server deamons in RHEL - 6
and RHEL - 7.
# service
rsyslog restart (to restart the log server deamon in
RHEL - 6)
# chkconfig rsyslog
on (to
enable the log server deamon at next boot in
RHEL - 6)
# systemctl restart
rsyslog (to restart the log server deamon in
RHEL - 7)
# systemctl enable
rsyslog (to
enable the log server deamon at next boot in
RHEL - 7)
* Then all the log messages are stored in /var/log/secure location.
* To monitor all the messages on the server
by #
tailf /var/log/secure command.
* Open the
/etc/rsyslog.conf file
and type as below to store all
the client's log messages in remote log server
only.
# vim
/etc/rsyslog.conf
*.* /var/log/secure (save and
exit this file)
* Then restart the log server deamons in
RHEL - 6 and RHEL - 7.
# service
rsyslog restart (to restart the log server deamon in
RHEL - 6)
# systemctl restart
rsyslog (to restart the log server deamon in
RHEL - 7)
5. What is log file?
Log file is file that contains messages about
that system, including the kernel,
services and applications running on it, ....etc., There are different log files for different
information. These files are very useful when trying to troubleshoot a problem
with systems.
Almost all log
messages are stored in /var/log directory.
Only root user can read these log messages. We can use less or
more commands to read these log
files. The messages will be generated only when
rsyslog service is running, otherwise the log messages will not be
generated.
The different types of log files and
their locations :
/var/log/messages ----->
System and general
messages and DHCP log messages.
/var/log/authlog ----->
Authentication log messages.
/var/log/secure ----->
Security and authentication and
user log messages.
/var/log/maillog ----->
Mail server log messages.
/var/log/cron ----->
Cron jobs log messages.
/var/log/boot.log ----->
All booting log messages.
/var/log/httpd ----->
All Apache web server log messages.
/var/log/mysqld.log ----->
Mysql database server log
messages.
/var/log/utmp or
/var/log/wtmp ----->
All the user's login
messages.
/var/log/Qmail ----->
Qmail log messages.
/var/log/kernel.log ----->
All kernel related log messages.
/var/log/samba ----->
All samba server log messages.
/var/log/anakonda.log ----->
Linux installation log messages.
/var/log/lastlog ----->
Recent login information for all users.
# lastlog (to
see the log messages of the above log file)
/var/log/yum.log ----->
All package installation log messages generated by # yum
or # rpm commands.
/var/log/cups ----->
All printer and printing related log messages.
/var/log/ntpstat ----->
All ntp server and services log messages.
/var/log/spooler ----->
Mail, printer and
cron jobs spooling messages.
/var/log/sssd ----->
System security service deamon log messages.
/var/log/audit.log ----->
SELinux log messages.
# dmesg (to
see the boot log messages)
# tailf
or # tail -f
/var/log/secure (to
check or
watch the log files continuously)
# vim
/etc/rsyslog.conf (we can change the log messages
default destinations)
* Whenever we change the contents of the /etc/rsyslog.conf file, then we have to restart the rsyslog
service.
* There are
7 types of priority messages. We can change the default destination of
those log files. For that
open rsyslog
server configuration file
and we have enter the rules as
follows.
# vim
/etc/rsyslog.conf
# logger
# logrotate (to create
the log files with datewise)
* Generally
in log messages the fields are,
Date &
Time : From
which system :
command name or
change : Execution
of the command
# yum
install tmpwatch -y (to
install the tmpwatchpackage to execute
the below command)
# tmpwatch (to monitor the /tmp directory)
# logwatch (to
monitor the log
messages)
# yum
install watch -y (to
install the watch package to execute the
below command)
# watch
# mkdir
mode=755 /ram (to give the
permissions to the directory while creating that directory)
# journalctl (it tracks all the log
files between two different timings
and save by default in
/run/log location)
* /run/log is mounted on
tmpfs file system ie., if the
system is rebooted the whole information in that
location will be
deleted or erased.
No comments:
Post a Comment