How to install syslog on RHEL 8 / CentOS 8

The syslog functionality is one of the main tools for a sysadmin. While writing logfiles with events of interest is a common feature of any application, having a system-wide logging functionality means all logs can be handled as one on the system. But syslog does not stop there. With these tool, a sysadmin can centralize log processing in the datacenter by forwarding the incoming events from applications to central logservers, where they can be processed at a large scale.

Centralized logging is an overkill on a home system with a few computers, but already have it’s benefits around a dozen machine. For example, a dozen desktops sending all their logfiles to a central logserver mean they don’t need to store them on the long run, the logs will occupy disk space in the logserver. The admin can check for problems in only one place (possibly by means of automated reports), the logs can be preserved in a safe way by the means of backups, stored more effective by means of heavy compressing, and will not be lost on a client’s failure or user error.

In this tutorial you will learn:

  • How to install rsyslog package on RHEL 8 / CentOS 8.
  • How to verify successful install.
  • How to start, stop and autostart rsyslog service.
  • How to test syslog functionality with logger.

Status output of rsyslog service with systemctl.

Status output of rsyslog service with systemctl.

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System RHEL 8 / CentOS 8
Software rsyslog 8
Other Privileged access to your Linux system as root or via the sudo command.
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

How to install syslog on RHEL 8 / CentOS 8 step by step instructions



On RHEL 8 / CentOS 8 rsyslog package should be installed and running by default. There may be cases where you need to install it anyway, for example package broken/deleted, reverting from another syslog service, etc.

  1. The rsyslog is reachable from the base repositories. You need to have Subscription Management repositories set up and reachable in order to install any packages. With that in place, install is only one dnf command away:
    # dnf install rsyslog -y
  2. To verify successful installation, you can query the rpm database for the package:
    # rpm -q rsyslog
    rsyslog-8.37.0-6.el8.x86_64

    dnf should also show “install time” status in the info output with the --verbose option:

    # dnf info rsyslog --verbose
    [...]
    Installed Packages
    Name         : rsyslog
    Version      : 8.37.0
    Release      : 6.el8
    Arch         : x86_64
    Size         : 2.2 M
    Source       : rsyslog-8.37.0-6.el8.src.rpm
    Repo         : @System
    [...]
    Install time : Thu Dec 27 12:24:35 2018
    Installed by : [...]

    And lastly, systemd should know about the service (not running), which means the service files are in place:

    # systemctl status rsyslog.service
    ● rsyslog.service - System Logging Service
       Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
       Active: inactive (dead)
         Docs: man:rsyslogd(8)
               http://www.rsyslog.com/doc/


  3. To start, stop, and get the status of the service, we use systemctl. In the last step we have seen the status of the just installed service, in inactive state. We can start it with:
    # systemctl start rsyslog.service

    And stop with:

    # systemctl stop rsyslog.service

    The status showed that the service is enabled on installation, which means it will start automatically on startup of the operating system. We can disable this autostart feature with:

    # systemctl disable rsyslog.service

    And enable it again the same way:

    # systemctl enable rsyslog.service
  4. To test if the service is functional (that is, accepting syslog events from the system), we can use logger:
    # echo "test message from user root" | logger

    And see the message properly shipped into the main syslog file by checking the last lines of /var/log/messages:

    # tail /var/log/messages 
    [...]
    Dec 27 12:39:46 rhel8 rsyslogd[2636]: [origin software="rsyslogd" swVersion="8.37.0-6.el8" x-pid="2636" x-info="http://www.rsyslog.com"] start
    Dec 27 12:39:46 rhel8 systemd[1]: Started System Logging Service.
    Dec 27 12:41:56 rhel8 testuser[2668]: test message from user root

    Where rhel8 is the hostname of the lab machine, testuser is the original user that switched to root, the PID of our session, and finally our message from echo redirected to logger‘s STDIN.