Centralized log
Logs are important part of a system. Logs give information about that the system is up to.
It is hard to manage log on a system with multiple host. Searching for an error across many log files is hard, specially without a good tool.
Centralized log is a common answer to this problem. In centralized log, multiple logs can be aggregated in a central location.
To make this clear, here’s a simulation of centralized logging with 2 VMs.
2 virtual machines are needed. One acts as the server, and the other as the client. To begin with from the settings, set the network setting of both machines to bridge.
Setting up the server
Choose one Kali Linux to be server. Then, open terminal to edit /etc/rsyslog.conf. The command I used is vi /etc/rsyslog.conf
Delete several command sign (#) in that file until it becomes like this, then use “:wq” to exit.
Then, restart the rsyslog service and check if the server already open port 514/udp and 514/tcp after modification.
Try to monitor the log, by typing tail -f /var/log/syslog /var/log/auth.log .Only the log from server machine will appear.
Finally, heck the IP of the log server to be used in the log client.
Setting up the client
Make a file /etc/rsyslog.d/test.conf. Inside write ”*.* @serverIP”. Then, check the file to make sure it’s correct.
Then restart rsyslog service.
Result
In the log client, there will be the log from the client. For example, if I start ssh service or stop it, the server log will show it.
reference:
http://jasonwilder.com/blog/2012/01/03/centralized-logging/