Sending logs to a syslog server

If you are running a linux server, go ahead and install rsyslog.

yum install rsyslog

You will need to edit the rsyslog config file.

vi /etc/rsyslog.conf

Add the following line.

# ### begin forwarding rule ###

# The statement between the begin ... end define a SINGLE forwarding

# rule. They belong together, do NOT split them. If you create multiple

# forwarding rules, duplicate the whole block!

# Remote Logging (we use TCP for reliable delivery)

#

# An on-disk queue is created for this action. If the remote host is

# down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files

#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)

#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown

#$ActionQueueType LinkedList   # run asynchronously

#$ActionResumeRetryCount -1    # infinite retries if host is down

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#*.* @@remote-host:514

*.*  @@<syslog-server-ip>:514

# ### end of the forwarding rule ###

[root@clientserver ~]# 

Save the file and exit vi. Next, you will need to enable and start rsyslog. Use the following two commands.

systemctl enable rsyslog

systemctl start rsyslog

On the client server ( the one you are currently working on) lets send a test message.

logger “This is a test.”


 

Check the the messages on the syslog server. If it doesnt come through, double check your local firewall and make sure port 514 is open for udp & tcp.

tail -10 /var/log/messages


 

Adding the line below tells your server to send all logs to the syslog server.

*.*  @@<syslog-server-ip>:514 
cron.* @@<syslog-server-ip>:514
mail.* @@<syslog-server-ip>:514  
*.info @@<syslog-server-ip>:514 

Feel free to choose whatever logs you would like to send. I chose to send all of them… just makes it a little easier.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s