1 00:00:00,000 --> 00:00:01,680 [No audio] 2 00:00:01,680 --> 00:00:05,370 Central logger is a server that 3 00:00:05,400 --> 00:00:08,820 acts as a server and it receives all the 4 00:00:08,820 --> 00:00:12,060 logs from every server, every clients 5 00:00:12,060 --> 00:00:14,070 that are out there to receive the 6 00:00:14,070 --> 00:00:16,469 logging information. The purpose of this 7 00:00:16,469 --> 00:00:19,890 server is to generate logs within its 8 00:00:19,890 --> 00:00:22,680 own self, which manages all the logs in 9 00:00:22,680 --> 00:00:26,760 /var/log directory. And also, if it is, 10 00:00:28,020 --> 00:00:31,620 built to receive all the logs, then 11 00:00:31,620 --> 00:00:33,780 it could work as a central logger. And 12 00:00:33,780 --> 00:00:35,310 the reason we call central logger is 13 00:00:35,310 --> 00:00:38,370 because it is a central location, just 14 00:00:38,370 --> 00:00:41,310 like you'll see a lot of a lot of names 15 00:00:41,310 --> 00:00:43,710 like grand central or central location, 16 00:00:43,980 --> 00:00:46,170 anything that is centrally located to 17 00:00:46,170 --> 00:00:49,050 receive all incoming traffic, whether it 18 00:00:49,050 --> 00:00:53,340 is trains, or airplanes, or buses, you 19 00:00:53,340 --> 00:00:56,250 will most likely hear the word Central, 20 00:00:56,430 --> 00:00:58,320 along with the name of his actual 21 00:00:58,320 --> 00:01:01,230 location. So in our Linux environment, 22 00:01:01,380 --> 00:01:03,720 we have the server called central 23 00:01:03,720 --> 00:01:06,510 logger, and it has a service that runs 24 00:01:06,810 --> 00:01:09,807 within that server, it's called rsyslog. 25 00:01:09,807 --> 00:01:11,730 And the name of the service or 26 00:01:11,730 --> 00:01:15,810 the package is rsyslog. It is not, it 27 00:01:15,810 --> 00:01:17,760 does not have a d at the end. But it's 28 00:01:17,760 --> 00:01:19,980 just, it's just something that you 29 00:01:19,980 --> 00:01:22,290 have to get used to it. I don't know why 30 00:01:22,290 --> 00:01:24,300 it does not have d, some of the service 31 00:01:24,330 --> 00:01:26,670 has it, some of them services don't. But 32 00:01:26,670 --> 00:01:28,500 that's okay, there's something you 33 00:01:28,500 --> 00:01:31,410 just have to live with. Configuration 34 00:01:31,410 --> 00:01:34,260 file is located in /etc/syslog.conf 35 00:01:34,260 --> 00:01:36,390 file. This is where you go in and change 36 00:01:36,390 --> 00:01:38,850 the parameters if you have to. And the 37 00:01:38,850 --> 00:01:42,450 service to start or stop its exact syntax 38 00:01:42,450 --> 00:01:46,366 would be systemctl restart rsyslog. 39 00:01:46,366 --> 00:01:49,650 And to enable it at boot time, 40 00:01:49,680 --> 00:01:51,420 which means every time you reboot your 41 00:01:51,420 --> 00:01:53,490 system, you want this service to be up 42 00:01:53,670 --> 00:01:56,610 and running along with the system. So 43 00:01:56,610 --> 00:02:00,210 you enable it. Picture speaks 1000 44 00:02:00,210 --> 00:02:01,590 words, so that's why I have this 45 00:02:01,590 --> 00:02:03,030 picture on the right hand side. If you 46 00:02:03,030 --> 00:02:05,130 see in the middle, we have the server 47 00:02:05,190 --> 00:02:08,008 which is acting as a central logger. It 48 00:02:08,008 --> 00:02:10,560 receives all the traffic from all other 49 00:02:10,560 --> 00:02:13,169 servers. Those servers could be any, 50 00:02:13,440 --> 00:02:15,060 it's not specifically, a server could be 51 00:02:15,060 --> 00:02:16,890 a modem, it could be a Windows machine, 52 00:02:16,890 --> 00:02:18,450 it could be a Linux machine, it could be 53 00:02:18,450 --> 00:02:20,730 a printer, you could have any of those 54 00:02:20,730 --> 00:02:22,950 devices configured to send this log 55 00:02:22,950 --> 00:02:25,950 traffic to one server. Now the good 56 00:02:25,950 --> 00:02:29,220 question is, why do we need rsyslog 57 00:02:29,220 --> 00:02:32,160 server or central logger? Well ask 58 00:02:32,160 --> 00:02:33,690 yourself if you are working in an 59 00:02:33,690 --> 00:02:35,220 environment where there are 1000 60 00:02:35,220 --> 00:02:37,680 servers, and you having issues with 61 00:02:37,680 --> 00:02:39,870 servers every now and then, sometimes 62 00:02:40,320 --> 00:02:42,060 three servers, sometimes 10 servers, 63 00:02:42,060 --> 00:02:44,280 sometimes 100 servers, are you actually 64 00:02:44,280 --> 00:02:46,980 going to go log into every server one by 65 00:02:46,980 --> 00:02:50,310 one and check the logs to see which 66 00:02:50,310 --> 00:02:52,110 system is having issue and where 67 00:02:52,140 --> 00:02:55,170 actually the problem is happening. Of 68 00:02:55,170 --> 00:02:56,760 course not right, because it's tedious 69 00:02:56,760 --> 00:02:59,130 task. You don't want to waste your time 70 00:02:59,130 --> 00:03:02,130 there, you're productive person. So you 71 00:03:02,130 --> 00:03:05,250 want to make your life much easier, 72 00:03:05,250 --> 00:03:06,600 you want to make your system more 73 00:03:06,600 --> 00:03:08,520 efficient. So that's when you create the 74 00:03:08,520 --> 00:03:11,220 central logger. So let's go into our 75 00:03:11,220 --> 00:03:12,930 Linux machine, I have a PuTTY session 76 00:03:12,960 --> 00:03:15,570 open. And I will go straight into the 77 00:03:15,570 --> 00:03:18,450 PuTTY session of my machine. I'll just 78 00:03:18,450 --> 00:03:20,310 make sure I am root because you have to 79 00:03:20,310 --> 00:03:22,980 be root to go in and modify those files. 80 00:03:23,400 --> 00:03:25,620 The first thing you have to do is check 81 00:03:25,650 --> 00:03:27,390 if you have that package installed for 82 00:03:27,390 --> 00:03:31,200 rsyslog. And to do that the command 83 00:03:31,200 --> 00:03:34,200 is rpm -qa, which will list every 84 00:03:34,200 --> 00:03:36,330 packages installed in your system. And 85 00:03:36,330 --> 00:03:38,190 the reason we use grep is because we 86 00:03:38,190 --> 00:03:40,380 don't want to list every package that's 87 00:03:40,380 --> 00:03:42,390 out there, we are just concerned 88 00:03:42,630 --> 00:03:45,990 about rsyslog package. And you run it, 89 00:03:46,200 --> 00:03:48,840 and you do get that information that 90 00:03:48,840 --> 00:03:51,570 you're looking for, excluding all other 91 00:03:51,570 --> 00:03:52,950 packages that you don't really care 92 00:03:52,950 --> 00:03:55,410 about at this point. So you have the 93 00:03:55,410 --> 00:03:57,990 package perfect. If you did not have 94 00:03:57,990 --> 00:04:00,420 that package, you would have to run yum, 95 00:04:00,600 --> 00:04:03,600 install rsyslog, and it will install 96 00:04:03,600 --> 00:04:06,090 the package as long as you have internet 97 00:04:06,090 --> 00:04:08,580 connection and it goes to 98 00:04:08,610 --> 00:04:13,020 CentOS or any Redhat repository. Now 99 00:04:13,020 --> 00:04:21,480 the configuration file is /etc/rsyslog.conf file, sorry, in my 100 00:04:21,480 --> 00:04:23,760 configuration file on my slide I missed 101 00:04:23,790 --> 00:04:26,190 r, it's just a misspelling, I'll fix it. 102 00:04:26,399 --> 00:04:30,210 So the the file is /etc/rsyslog.conf. 103 00:04:31,500 --> 00:04:34,080 And when you go in there, you hit enter. 104 00:04:34,350 --> 00:04:36,780 And anything you see again that starts 105 00:04:36,780 --> 00:04:38,880 with hash, you can ignore it. Some of 106 00:04:38,880 --> 00:04:41,280 the parameters are by default has been 107 00:04:41,310 --> 00:04:43,500 commented out. If you want to have it 108 00:04:43,620 --> 00:04:45,720 enabled, if you want the traffic, UDP 109 00:04:45,720 --> 00:04:47,520 traffic, or any of the traffic coming in, 110 00:04:47,670 --> 00:04:50,490 you have to take out this hash sign in 111 00:04:50,490 --> 00:04:52,440 front of it. So the parameter will be 112 00:04:52,440 --> 00:04:54,660 enable. The one that we are really 113 00:04:54,660 --> 00:04:56,640 concerned about is all the way at the 114 00:04:56,640 --> 00:04:58,980 end, which one is right here starts with 115 00:04:58,980 --> 00:05:01,230 hash, you will have to take it out. If 116 00:05:01,230 --> 00:05:03,540 you are sending your system, this is 117 00:05:03,540 --> 00:05:06,270 your system, if you are sending this 118 00:05:06,270 --> 00:05:09,000 system logs to another central logger, 119 00:05:09,210 --> 00:05:12,120 you will specify the name, the hostname 120 00:05:12,150 --> 00:05:15,180 or the IP address of that central 121 00:05:15,180 --> 00:05:18,510 logger. This is the port 514. By 122 00:05:18,510 --> 00:05:21,870 default, rsyslog communication takes 123 00:05:21,870 --> 00:05:25,320 place on port 514. Just like any other 124 00:05:25,320 --> 00:05:30,150 services, like DNS talks on port 53, and 125 00:05:30,450 --> 00:05:32,640 there are many other services like NTP 126 00:05:32,640 --> 00:05:34,980 talks, I believe 123, just like that, 127 00:05:35,220 --> 00:05:37,920 every service has an associated port to 128 00:05:37,920 --> 00:05:39,780 it and it will talk only on that port. 129 00:05:40,380 --> 00:05:43,860 So you save it if you want to comment 130 00:05:43,860 --> 00:05:46,110 that out. And then once you have it 131 00:05:46,110 --> 00:05:47,370 saved, you know you're sending your 132 00:05:47,370 --> 00:05:50,220 logs, the next thing you do is you run 133 00:05:50,220 --> 00:05:54,090 the service. Before you run the service 134 00:05:54,090 --> 00:05:56,310 let's check if that service is already 135 00:05:56,310 --> 00:05:59,280 running or not. In my case, in our case, 136 00:05:59,520 --> 00:06:01,680 it is running, it is active, perfect. If 137 00:06:01,680 --> 00:06:03,810 it is not running in your system, I will 138 00:06:03,810 --> 00:06:06,930 tell you to run it by doing systemctl, 139 00:06:07,170 --> 00:06:09,420 and do start, and it will start the 140 00:06:09,420 --> 00:06:12,990 service. Again, this is how you send the 141 00:06:12,990 --> 00:06:15,840 traffic over to one central logger. It's 142 00:06:15,840 --> 00:06:17,940 the best way to troubleshoot for a 143 00:06:17,940 --> 00:06:21,060 system administrator. And this will make 144 00:06:21,060 --> 00:06:24,330 life a lot easier to have all the logs 145 00:06:24,360 --> 00:06:26,190 under the one roof. 146 00:06:26,190 --> 00:06:28,224 [No audio]