Sending logs to a syslog server

If you are running a linux server, go ahead and install rsyslog.

yum install rsyslog

You will need to edit the rsyslog config file.

vi /etc/rsyslog.conf

Add the following line.

# ### begin forwarding rule ###

# The statement between the begin ... end define a SINGLE forwarding

# rule. They belong together, do NOT split them. If you create multiple

# forwarding rules, duplicate the whole block!

# Remote Logging (we use TCP for reliable delivery)


# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files

#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)

#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

#$ActionQueueType LinkedList   # run asynchronously

#$ActionResumeRetryCount -1    # infinite retries if host is down

# remote host is: name/ip:port, e.g., port optional

#*.* @@remote-host:514

*.*  @@<syslog-server-ip>:514

# ### end of the forwarding rule ###

[root@clientserver ~]# 

Save the file and exit vi. Next, you will need to enable and start rsyslog. Use the following two commands.

systemctl enable rsyslog

systemctl start rsyslog

On the client server ( the one you are currently working on) lets send a test message.

logger “This is a test.”


Check the the messages on the syslog server. If it doesnt come through, double check your local firewall and make sure port 514 is open for udp & tcp.

tail -10 /var/log/messages


Adding the line below tells your server to send all logs to the syslog server.

*.*  @@<syslog-server-ip>:514 
cron.* @@<syslog-server-ip>:514
mail.* @@<syslog-server-ip>:514  
*.info @@<syslog-server-ip>:514 

Feel free to choose whatever logs you would like to send. I chose to send all of them… just makes it a little easier.



