Master Rsyslog on CentOS: Quick Install, Config, and Log Aggregation Guide

In the era of data-driven operations, log management is unavoidable. While popular stacks like Logstash, Elasticsearch, and Kibana exist, many prefer a quick‑start solution such as Rsyslog.

Older Linux versions use the default Syslog configuration, typically found in /etc/syslog.conf:

shell> cat /etc/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# kern.*    /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none    /var/log/messages

# The authpriv file has restricted access.
authpriv.*    /var/log/secure

# Log all the mail messages in one place.
mail.*    -/var/log/maillog

# Log cron stuff
cron.*    /var/log/cron

# Everybody gets emergency messages
*.emerg    *

# Save news errors of level crit and higher in a special file.
uucp,news.crit    /var/log/spooler

# Save boot messages also to boot.log
local7.*    /var/log/boot.log

The file introduces two concepts: Facility (type) and Severity (level). Messages with severity >= info are stored in /var/log/messages except those from mail, authpriv, and cron facilities; mail messages go to /var/log/maillog. A leading hyphen means asynchronous file writes.

Modern replacements such as Rsyslog and Syslog‑ng provide better performance and features. Most Linux distributions ship with Rsyslog, so this guide focuses on getting Rsyslog up and running quickly.

Installation and Configuration

Using CentOS as an example, install Rsyslog via RPM:

shell> cd /etc/yum.repos.d/
shell> wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
shell> yum install rsyslog

Verify the installed files:

shell> rpm -ql rsyslog

/etc/logrotate.d/syslog
/etc/pki/rsyslog
/etc/rc.d/init.d/rsyslog
/etc/rsyslog.conf
/etc/rsyslog.d
/etc/sysconfig/rsyslog
...

If a traditional Syslog service is present, stop it before starting Rsyslog:

shell> service syslog stop
shell> service rsyslog start

Enable debug mode to troubleshoot Rsyslog issues:

shell> cat /etc/sysconfig/rsyslog

# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-d -n"

Test Rsyslog functionality with the built‑in logger command or performance with the official tcpflood tool.

Example Demonstration

Rsyslog processes data through input modules into a main queue, filters it into sub‑queues, and finally hands it to output modules. The following example shows how to collect access logs from multiple web servers and forward them to a central application server.

Web server configuration (using the imfile module):

module(load="imfile")

ruleset(name="remote") {
    action(type="omfwd"
        Protocol="tcp"
        Target="<HOST>"
        Port="<PORT>")
    stop
}

input(type="imfile"
    File="/path/to/web/access.log"
    Facility="user"
    Severity="info"
    Tag="web_access"
    PersistStateInterval="1"
    Ruleset="remote")

Set WorkDirectory to store state files; adjust PersistStateInterval based on testing versus production needs.

Application server configuration (using the imtcp module):

module(load="imtcp")

template(name="msg" type="string" string="%msg:2:$%
")

ruleset(name="analysis") {
    action(type="omfile"
        File="/path/to/access.log"
        Template="msg")
    stop
}

input(type="imtcp"
    Port="<PORT>"
    Ruleset="analysis")

This setup writes only the message part of each log entry to /path/to/access.log, stripping leading spaces via a property replacer.

For more advanced processing, the omprog module can pipe logs to an external program, such as a PHP script:

module(load="omprog")

ruleset(name="analysis") {
    action(type="omprog"
        Binary="/usr/bin/php /path/to/script.php"
        Template="msg")
    stop
}

<?php

while (($data = fgets(STDIN)) !== false) {
    // ...process log line...
}

?>

If the processing logic is heavy, consider forwarding the data to a task queue like Gearman instead of handling it directly in the loop.

When the main configuration becomes large, include additional files with:

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

For reference, the original article is available at https://huoding.com/2014/05/09/347 .