Setup rsyslog node
Setup Note: there are two possible build options. Option 1 is to build a single server that will handle log reception and storage. This is perfectly acceptable if losing a few logs during maintenance is okay. Option 2, utilizes an HA cluster for aggregating the logs with a third rsyslog server.
Install/upgrade to the latest rsyslog
yum update rsyslog
Create an rsyslog spool directory (this will be needed later)
mkdir /var/lib/rsyslog
Setup Note: A custom rsyslog.conf is available for the CLR node that allows receiving logs on tcp port 514 by default. Copy the content from the appendixes into the appropriate files.
Path: /etc/rsyslog.conf rsyslog.conf for CLR server
Edit the rsyslog config
vi /etc/rsyslog.conf
Uncomment the lines for the action and change server.domain.tld to the name of your master node (don’t do this until you are ready to ship logs)
#action(type="omfwd" # target="server.domain.tld" # port="10514" # protocol="tcp" # queue.filename="wait_queue" # queue.size="1000000" # queue.type="LinkedList" # )
Allow rsyslog to use port 10514 for outbound communication
semanage port -a -t syslogd_port_t -p tcp 10514
Option 1 – Settings to edit to allow incoming udp in addition to incoming tcp
Uncomment #module(load=”imudp”)
Uncomment #input(type=”imudp” port=”514″)
Option 2 – Settings to edit
Nothing to do if using the proper config
Restart the rsyslog service
systemctl restart rsyslog.service
Setup Note: rsyslog offers many input options, which are too extensive to cover in depth. It is assumed that endpoint devices will be using either tcp or udp for syslog services.
Configure firewalld rules
Now that the config file is edited, let’s make some firewall rule changes. If for some reason you aren’t using a firewall then you can skip this.
Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)
Create new service files for our rsyslog node, one for tcp and one for udp
vi /etc/firewalld/services/rsyslog-tcp.xml
Use this as the contents for rsyslog-tcp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>rsyslog-tcp</short>
<description>rsyslog server access for default tcp port.</description>
<port protocol="tcp" port="514"/>
</service>
Edit /etc/firewalld/services/rsyslog-udp.xml
vi /etc/firewalld/services/rsyslog-udp.xml
Insert this text
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>rsyslog-udp</short>
<description>rsyslog server access for default udp port.</description>
<port protocol="udp" port="514"/>
</service>
Permanently create selinux context labels
semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/rsyslog-tcp.xmlsemanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/rsyslog-udp.xml
Apply the new selinux labels
restorecon -vF /etc/firewalld/services/rsyslog-tcp.xmlrestorecon -vF /etc/firewalld/services/rsyslog-udp.xml
Option1 --- Setup firewall rules to allow tcp and udp connections from any host
Add services (or ports) to allowed rules
firewall-cmd --permanent --zone=internal --add-service=rsyslog-tcp
firewall-cmd --permanent --zone=internal --add-service=rsyslog-udp
You can just define ports if you like
firewall-cmd --zone=internal --add-port=514/tcp
firewall-cmd --zone=internal --add-port=514/udp
Option 2 --- Setup firewall rules x2 (use the IP’s of the log aggregator servers)
Add rich rules to allow tcp connections from aggregator nodes. (use the IP’s of the log aggregator servers)
firewall-cmd --zone=internal --add-rich-rule="rule family="ipv4" source address="xxx.xxx.xxx.xxx/32" service name="rsyslog-tcp" accept" --permanent
Reload the current firewall config
firewall-cmd --reload
Check the interface and verify the services
firewall-cmd --zone=internal --list-services
