How To Setup a CentOS 7 Syslog Server

Today we learn how to build a syslog server.  Having a couple SuperMicro Builds, Switches and Firewalls, I want to be able to know what is going on by looking at one central source.   Easiest way to do this, and one that most Network Devices and SuperMicro Motherboards support is syslog.

First step is to build a quick CentOS 7 VM.  Next we install rsylog and other packages we will use later.  If you have installed the Minimum CentOS 7 image you will need the vim and net-tools packages.

yum install rsyslog vim net-tools

Next we open the syslog.conf file to allow the server to listen for syslog messages.

vim /etc/rsyslog.conf:

Then we un-comment the following four lines to allow syslog messages to be received on UDP and TCP Ports 514.

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

becomes

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Then we restart the syslog service.

systemctl restart rsyslog.service

Then we want to verify that the service is listening on port 514.

netstat -an | grep 514

We should see that TCP is listening and that UDP is now showing for port 514.

Finally we want to allow TCP and UDP 514 through the firewall.

firewall-cmd –permanent –zone=public –add-port=514/tcp

firewall-cmd –permanent –zone=public –add-port=514/udp

firewall-cmd –reload

Now that we have the syslog server up and listening, lets configure one of our servers to forward its message.

For my SuperMicro servers, we log into the IPMI page and click on the Configuration Tab and then Syslog.  We click “Enable Syslog” and then we enter in the IP and Port for our Syslog Server.  Finally we click Save.

For ESXi we need to login to the CLI of each ESXi host and run the following command, replacing the below IP with your syslog IP.

esxcli system syslog config set –loghost=’tcp://10.11.12.13:514′

For me Dell X1052 Switch, we log into the Administrator Web GUI and Click Log and Alerts, Expand Remote Log Servers, and Click Edit.

Then we click Add.

Then we enter the required information for our Syslog Server.

Eventually as events are generated you will see them in /var/log/messages on the your syslog server.  Once we configured our Dell Switch we saw the following message generated.