Configuring central logging is one of many important thing that you should configure to secure your system, it allow you to have an exact timeline in case of an incident or for troubleshooting reason.
I was in the process of configuring some machines to send their logs to a remote system, the thing is that we should not forget that some applications doesn’t use syslog/rsyslog by default for their logging, Apache is one of them, so let’s make this post a simple quick how to, but before that some informations refresh is necessary.
Rsyslog is an enhanced version of syslog that was around for a long time, it support plugin and have a modular design like everything in Linux today, it is also designed with security and high-performance in mind.
On Red Hat 7 and CentOS 7 linux distribution it’s the default system logger. All configuration is done using the /etc/rsyslog.conf , like other configuration file, it include anything in the /etc/rsyslog.d directory. If you need to pass parameters during the rsyslog service startup, you can use /etc/sysconfig/rsyslog file, which contain one line with the SYSLOGD_OPTIONS directive.
for example if you want to enable remote logging change this directive to:
SYSLOGD_OPTIONS="-m 0 -r"
I won’t go into more details on the different modules or rules, but you should know that rsyslog support many different logging sources, destinations an plugins.
In my case I needed to use rsyslog as a logging mechanism for my Apache error logs.
By default, the Apache service does not log through rsyslog, in our case, we should change the ErrorLog directive in Apache configuration file /etc/http/conf/httpd.conf
So let’s change it configuration to have rsyslog take care of Apache error logs:
First open /etc/http/conf/httpd.conf and locate the ErrorLog directive and change it like this:
I have used the syslog facility local2, you should not use local7 which is Apache default facility as it is used to log boot message to /var/log/boot.log on CentOS 7.
Then add the following line to your rsyslog.conf
Restart your Apache server
systemctl restart httpd
Then restart your Rsyslog service
systemctl restart rsyslog
Check the two services status
systemctl status rsyslog httpd
To test this configuration, if you try to open the default web site using curl or your browser
You should get the error logged into /var/log/httpd-error.log as there is no index file configured