You are here
Remote Syslog Server
Sources:
This notes are intended for Ubuntu 18.04!
Install and Configure Rsyslog Server
dpkg -l | grep rsyslogd apt-get update && apt-get install rsyslog systemctl start rsyslog systemctl enable rsyslog systemctl status rsyslog
Check rsyslog version (v7 vs. v8!):
rsyslogd -v
General configuration
# # /etc/rsyslog.conf # # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514")
and/or
# provides TCP syslog reception module(load="imtcp") # RPC service is using this port as well. input(type="imtcp" port="50514")
Restrictions:
# GLOBAL DIRECTIVES $AllowedSender UDP, 192.168.1.0/24, [::1]/128, *.fromdual.com $AllowedSender UDP, 192.168.56.0/24, [::1]/128, *.fromdual.com $AllowedSender TCP, 192.168.1.0/24, [::1]/128, *.fromdual.com $AllowedSender TCP, 192.168.56.0/24, [::1]/128, *.fromdual.com
Specific configuration:
# # /etc/rsyslog.d/remote_syslog.conf # $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs
Check syntax:
rsyslogd -N 1 systemctl restart rsyslog systemctl status rsyslog
Check /var/log/syslog
for errors!
Verify it works:
ss -tulnp | grep -e rsyslog -e State Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("rsyslogd",pid=11743,fd=6)) udp UNCONN 0 0 [::]:514 [::]:* users:(("rsyslogd",pid=11743,fd=7)) tcp LISTEN 0 25 0.0.0.0:50514 0.0.0.0:* users:(("rsyslogd",pid=11743,fd=8)) tcp LISTEN 0 25 [::]:50514 [::]:* users:(("rsyslogd",pid=11743,fd=9))
Configure Rsyslog Client to send Logs to Rsyslog Server
dpkg -l | grep rsyslog apt-get update && apt-get install rsyslog systemctl start rsyslog systemctl enable rsyslog systemctl status rsyslog
Configuration:
# # /etc/rsyslog.d/remote_logging.conf # # 192.168.1.142 is the IP of the Rsyslog Server! *.* @192.168.1.142:514 # UDP auth,authpriv.* @@192.168.1.142:50514 # TCP $ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1
Check configuration:
rsyslogd -N 1 systemctl restart rsyslog
Check /var/log/syslog
log for errors.
Send messages to remote syslog server from client
# IP of rsyslog server telnet 192.168.1.142 50514 Trying 192.168.1.142... Connected to 192.168.1.142. Escape character is '^]'. Connection closed by foreign host. nc -u 192.168.1.142 514 Hello Server ^C logger "Test message from client" logger -n 192.168.1.142 --udp --port=514 "Test message from client over UDP" logger -n 192.168.1.142 --tcp --port=50514 "Test message from client over TCP"
Monitor Remote Logging on the Rsyslog Server
# IP of client ls -l /var/log/remotelogs/192.168.1.102/ tail -f /var/log/remotelogs/192.168.1.102/oli.log