Step-by-Step Guide: Forwarding RHEL 8 Logs to Nagios Log Server 2024R2

Nagios Log Server offers a powerful, centralized solution for log collection, analysis, and management, providing enhanced visibility into system activities and improving security monitoring. Configuring RHEL 8 to forward logs ensures real-time tracking of critical events, helping administrators proactively manage system performance and security threats.

This guide will walk you through the step-by-step process of configuring RHEL 8 to send logs to Nagios Log Server 2024R2 using rsyslog. By the end, your system will be fully integrated with Nagios Log Server, enabling efficient and centralized log monitoring.

Prerequisites

Before proceeding, ensure you have the following:

• A running Nagios Log Server 2024R2 instance.
• A RHEL 8 system (updated; e.g., `sudo dnf update`) with root or `sudo` privileges.
• Network connectivity between RHEL 8 and Nagios Log Server (ensure firewall rules allow communication on port 5544).
• `rsyslog` installed (default; verify with `rsyslogd -v`, expecting 8.1911.0 or later).

Step 1: Add a New Log Source in Nagios Log Server

1. Login to Nagios Log Server:
   • Open your web browser and navigate to your Nagios Log Server instance.
   • Log in using your administrator credentials.
2. Navigate to Log Source Setup:
   • On the Home page, locate the + Linux button at the top right.

3. Alternatively, click + Add Log Source in the navigation bar and select Linux.

Step 2: Configuring the RHEL 8 Log Source

1. Download and Run the Setup Script

• The Linux Source Setup page provides a pre-configured command.
• Copy the command and paste it into the RHEL 8 terminal.

If curl is not installed, install it first:

sudo dnf install -y curl

Then, execute the following command to download and run the setup script:

curl -sS -O http://your-nagios-log-server-address/nagioslogserver/scripts/setup-linux.sh
sudo bash setup-linux.sh -s your-nagios-log-server-address -p 5544

Replace your-nagios-log-server-address with the actual IP address or hostname of your Nagios Log Server.

• The -s flag specifies the Nagios Log Server address.
• The -p 5544 specifies the port for log transmission (default is 5544).

Example Output:

curl -sS -O http://192.168.0.65/nagioslogserver/scripts/setup-linux.sh
sudo bash setup-linux.sh -s 192.168.0.65 -p 5544

2. Verify the Script Execution

After running the script, you should see a confirmation message:

Detected rsyslog 8.1901.0
Detected rsyslog work directory /var/lib/rsyslog
Destination Log Server: 192.168.0.65:5544
Creating /etc/rsyslog.d/99-nagioslogserver.conf...
SELinux is disabled.
rsyslog configuration check passed.
Restarting rsyslog service with 'service'...
Redirecting to /bin/systemctl restart rsyslog.service
Okay.
rsyslog is running with the new configuration.
Visit your Nagios Log Server dashboard to verify that logs are being received.

• If you encounter any errors, check the script logs.
• Ensure that the Nagios Log Server is reachable and that port 5544 is open.

Step 3: Confirming Log Reception

1. Navigate to Dashboards in Nagios Log Server:
   • Go to the Dashboards section.
   • Perform a query using the IP address of the RHEL 8 machine to confirm logs are being received.
2. Send a Test Log Entry:

logger "This is a test log entry"

3. Refresh the Nagios Log Server dashboard:
   • If successful, you should see the test log entry listed in the dashboard.

Step 4: Accessing the Setup Script on Nagios Log Server

The setup script is located on the Nagios Log Server instance at:

/var/www/html/nagioslogserver/www/scripts/setup-linux.sh

You can access it directly via a browser or SSH if you need to make manual adjustments.

Step 5: Manual Setup (Optional)

For more customization, use the manual configuration method instead of the script:

1. Edit the rsyslog configuration:

sudo nano /etc/rsyslog.d/.conf

2. Add the following lines at the begin forwarding rule section:

# ### begin forwarding rule ### NAGIOSLOGSERVER
$WorkDirectory /var/lib/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @@192.168.1.123:5544
# ### end of the forwarding rule ###

Replace /var/lib/rsyslog with the correct path if different, and 192.168.1.123 with the IP address of your Nagios Log Server.

3. Restart rsyslog:

sudo /etc/init.d/rsyslog restart

Step 6: Adding More Log Sources

Use the + Add Log Source button to configure additional sources, such as:

• Windows event logs
• Application logs
• Archived log files

Some log sources offer both scripted and manual setup options.

• The manual method provides more customization by allowing direct configuration file edits.

Troubleshooting Tips

1. Check rsyslog Status

Ensure that rsyslog is installed and running:

systemctl status rsyslog

If the service is not running, start it:

sudo systemctl start rsyslog

2. Verify Network Connectivity

Ensure that the RHEL 8 machine can communicate with Nagios Log Server on port 5544.

• Check for network restrictions such as firewalls or proxy settings.

3. Check Firewall Settings

If you’re using firewalld, allow traffic on port 5544:

sudo firewall-cmd --zone=public --add-port=5544/tcp --permanent
sudo firewall-cmd --reload

Also, check if there are any firewall rules on the Nagios Log Server that might block incoming log data.

4. Review Log Files

If the above steps don’t resolve the issue, review the log files:

• On RHEL 8: sudo cat /var/log/messages | grep rsyslog
• On Nagios Log Server: tail -f /var/log/logserver/nagios.log

Video Tutorial

Enhance your understanding with this step-by-step walkthrough:

Conclusion

By following this guide, you have successfully configured your RHEL 8 machine to send logs to Nagios Log Server 2024R2 for centralized monitoring. This setup allows you to efficiently monitor system logs and gain insights into potential issues in real-time.

For troubleshooting or further assistance, visit the Nagios Knowledgebase or check the Nagios Support Forums.