Centralized Log Management In Linux (RHEL)

Whenever something goes wrong – and sometimes when things go right – on the system, a message is generated by the syslog service. In all seriousness, understanding system logging is important so that you can troubleshoot when something goes wrong. 

For RHEL 6: the rsyslog service has main config file, /etc/rsyslog.conf, that controls where the messages are sent when they generated. 

For RHEL 5: the default logging service was split between two daemons: syslogd and klogd.

The rsyslog service provides better logging features, so it is recommended to upgrade if possible.

All the messages sent to the rsyslog service are store in the /var/log directory, and each message section has its own file or subdirectory. The biggest problem that arises from using any logging service is the files can become uncontrollable if left unchecked.

If left alone, logs can grow to enormous size. Luckily for you, the logrotate command allows you to rotate logs before they become too big. The parameters of the command are defined in its config file, /etc/logrotate.conf, and the /etc/logrotate.d directory. However, the command itself is called from /etc/cron.daily/logrotate. You shouldn’t run this command frequently because you’ll end up with tons of rotated logs.

If you’d like to set up a centralized syslog server, you need to choose which server you’d like to store all your logs on. 

Step 1. Edit your /etc/rsyslog.conf file on Log Server:

Step 2. You can config clients to send some or all of its log files to the centralized Log server. For example, I configure client to point all security logs to the server.

From now on, all informations about security on clients will be monitored on centralized Log Server.

Aside from the normal logs generated and used by the syslog service, there are two special commands that deal with system logins.

Have fun!