RH342 - ch02s03

Bookmark this page

Configuring Remote Logging

Objectives

Configure systems for remote logging to a central log host.

Remote logging

Standard configuration of system log management rotates log files every week and retains them for four rotations. It is often desirable to maintain logs longer than the four-week default, especially when establishing system performance trends for tasks that are executed just once a month, such as month-end financial closing. By sending log messages to a remote log host with dedicated mass storage, administrators can maintain large archives of system logs for their systems without changing the default log rotation configuration, which is intended to keep logs from overconsuming disk storage.

Central collection of system log messages can also be useful for monitoring the state of systems and for identifying problems. Remote storage provides a backup location for log messages in case a system suffers a catastrophic failure that might cause the local logs to be unavailable. In these situations, the copy of the log messages on the central log host can be used to diagnose the issue that caused the problem.

Standardized system logging is implemented in Red Hat Enterprise Linux 8 by the rsyslog service. System programs can send syslog messages to the local rsyslogd service, which then redirects those messages to files in /var/log, remote log servers, or other databases based on the settings in its configuration file, /etc/rsyslog.conf.

Two characteristics of log messages categorize them: facility and severity. The facility indicates the type of log message. The severity indicates the importance of the event that is logged in the message.

Table 2.1. Syslog Priority Levels

Severity	Meaning
`emerg`	System is unusable
`alert`	Immediate action required
`crit`	Critical condition
`err`	Error condition
`warning`	Warning condition
`notice`	Normal but significant condition
`info`	Informational messages
`debug`	Debugging messages

Configuring a Central Log Host

Implementing a central log host requires configuring the rsyslog service on the systems where the log messages originate and on the central log host that receives the messages. On the central log host, the rsyslog service is configured to accept log messages from the originating hosts.

To configure the rsyslog service on the central log host to accept remote logs, uncomment either the TCP or UDP reception lines in the modules section in the /etc/rsyslog.conf file.

For UDP reception:

module(load="imudp")
input(type="imudp" port="514")

or for TCP reception:

module(load="imtcp")
input(type="imtcp" port="514")

In the example syntax, the module object loads the input modules for TCP and UDP, and the input object configures them. Although TCP provides more reliable delivery of remote log messages, UDP is supported by more operating systems and networking devices.

The default rules in /etc/rsyslog.conf accommodate message logging on a single host, sorting and bundling messages by facility. For example, mail messages are stored in /var/log/maillog while messages generated by the crond daemon are stored in /var/log/cron to easily locate each type of message.

Although sorting of messages by facility is ideal on a single host, it produces an undesirable result on a central log host because it causes messages from different remote hosts to be mixed together. On a central log host, it might be optimal for log messages from remote systems to remain separated. This separation is achieved by using the template function of rsyslog.

Templates are defined in /etc/rsyslog.conf by using the template() statement and are used to generate dynamic log files. A template() statement must contain a name and a type parameter. Different template types use different syntax, but still have the same functionality. Template parameters depend on the template type. Templates can dynamically construct log file names and paths based the properties of a log message.

For example, to route cron syslog messages from different systems to different files on a central log host, use a template to generate dynamic log directories based on the hostname property of each log message, as in this example:

template (name="HostTemplate" type="string" string="/var/log/loghost/%HOSTNAME%/cron.log")

Alternatively, use the list type parameter to specify a consistent and preferred syntax:

template(name="HostTemplate" type="list") {
    constant(value="/var/log/loghost/")
    property(name="hostname")
    constant(value="/cron.log")
    }

Note

A list of template types is available in the references. The list type is unique because its configuration is defined with curly braces.

A template can be referenced by name in a rule:

cron.* action(type="omfile" DynaFile="HostTemplate")

This example rule indicates that log messages of the cron facility type, of any severity level, should be handled by the action object. The action object uses the File Output Module, omfile, to write to the template that the DynaFile parameter indicates.

The following template example generates dynamic log file names. Remote log messages are sorted by originating host name and facility values by referencing the hostname and syslogfacility-text properties. Log messages are written to the dynamically generated log file names.

template (name="HostTemplate" type="string" string="/var/log/loghost/%HOSTNAME%/%syslogfacility-text%.log")
*.* action(type="omfile" DynaFile="HostTemplate")

Note

A list of the syslog message properties for rsyslog are found in the Available Properties section of the rsyslog.conf(5) man page.

After activating syslog message reception and creating the rules for log separation by host, restart the rsyslog service to implement the changes. In addition, configure appropriate UDP or TCP firewall rules to permit incoming syslog traffic, and reload firewalld to implement those rules.

[root@loghost ~]# systemctl restart rsyslog
[root@loghost ~]# firewall-cmd --add-port=514/udp --permanent
[root@loghost ~]# firewall-cmd --add-port=514/tcp --permanent
[root@loghost ~]# firewall-cmd --reload

Newly created log files might not be included in the log host's current log rotation schedule, which can cause those new logs to grow too large. Include the new log files in the log rotation by adding a new entry to the list of log files in the /etc/logrotate.d/syslog configuration file.

/var/log/loghost/*/*.log

Redirecting Logging to Central Log Host

After configuring the central log host to accept incoming remote messages, configure the rsyslog service on originating systems to send logs remotely to the central log host. Add entries to the rules section in the /etc/rsyslog.conf file to indicate the facility, severity, and an action object to specify how to communicate with the central log host.

For example, to send messages with info or higher severity that are sent to loghost.example.com via UDP, use this entry:

*.info action(type="omfwd" target="loghost.example.com" port="514" protocol="udp")

The action object uses the Forwarding Output Module, omfwd, to send syslog messages to the central log host.

To send all messages to loghost.example.com via TCP, use the following entry:

*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp")

After adding rules, restart the rsyslog service. Use the logger command to send a test message, which can optionally specify the facility and severity to test.

[root@logclient ~]# logger "Test from logclient"

Check the logs on the remote server to ensure that the message was received.

Export Session Recordings to Central Log Host

Sessions that are recorded with the web console tool can be exported to a central log host for centralization. Use the systemd export option to forward encrypted journal entries over the network with HTTP/HTTPS and to write journal files from the serialized journal content.

This option is integrated into systemd, by installing the systemd-journal-remote package.

[root@host ~]#  yum install systemd-journal-remote

Create a temporary directory where the journal output with all its entities are exported into a file.

[root@host ~]#  mkdir /tmp/dir
[root@host ~]#  journalctl -o export | /usr/lib/systemd/systemd-journal-remote -o /tmp/dir/example.journal -

In the central log host, create a directory to store the files of the nodes with terminal session recordings and copy or rsync them securely to the directory.

[root@host ~]#  mkdir /var/log/journal/remote/

To playback the recorded sessions, use the tool included in the tlog package.

[root@host ~]#  tlog-play -r journal -M TLOG_REC=<your-unique-host-id>

Automate the installation of the terminal session recording tool with the RHEL tlog system role. Sessions are sent to the central log host for further analysis.

References

For more information, see the rsyslog.conf(5), rsyslogd(8), and logger(1) man pages.

For further information, refer to the Recording Sessions Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/recording_sessions/index

Discuss Red Hat Enterprise Linux Diagnostics and Troubleshooting

Go to community

Welcome to the Red Hat Enterprise Linux Diagnostics and Troubleshooting (RH342) group!

cschunke

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Enterprise Linux Diagnostics and Troubleshooting! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH342.Read more about Red Hat Enterprise Linux Diagnostics and Troubleshooting here.

445

Revision: rh342-8.4-6dd89bd

Click Create to build all of the virtual machines needed for the classroom lab environment. This may take several minutes to complete. Once created the environment can then be stopped and restarted to pause your experience.
When a lab is created, click Start to run all of the virtual machines in the classroom.
Click Stop to stop all the virtual machines from running. This will not delete your lab.
If you Delete your lab, you will remove all of the virtual machines in your classroom and lose all of your progress.

Virtual machine actions

Click Start to power on the virtual machine.
Click Shutdown to gracefully shut down the virtual machine, preserving disk contents.
Click Power off to forcefully shut down the virtual machine, while still preserving disk contents.
Click Open console to connect to the system console of the virtual machine in a new browser.

Auto-stop timer

The Red Hat Learning Subscription entitles you to set allotment of lab time.
To help conserving your allotted time, the lab environment uses automatic timers to stop or destroy your lab environment when the timer expires.

Click the Auto-stop button [+] to extend the time you would like to spend with the labs.
Click the Auto-destroy button [+] to add day(s) to the auto-destroy timer.

Auto-stop has a maximum of 11 hours, and auto-destroy has a maximum of 14 days.
Be careful to keep the timers set while you are working, so that your environment doesn't shut down unexpectedly.
We also suggest not to set the auto-timers unnecessarily high, which could waste your lab time allotment