Abstract
This article shows how rsyslogd.conf must be configured on both machines to send syslog messages from machine A to machine B using UDP.
Log Server configuration
Uncomment the following two lines in /etc/rsyslog.conf
Ubuntu
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
Redhat
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Then restart the service with service rsyslog restart
You should now see that your server listens on port 514
# netstat -an |egrep '^udp.*514'
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
Log Client configuration
Client configuration can be done either on /etc/rsyslog.conf
, or in one of the files in /etc/rsyslog.d/
directory.
In order to send all logs to the server, you provide a filter and a destination like this :
*.* @192.168.1.2:514
I think it is worth a little explanation
- *.* is the “FACILITY”.”PRIORITY” filter – it means that we actually dont filter anything. You can filter facilities by replacing the first asterisk with any of the facilities value (kern , user , mail , daemon , auth , syslog , lpr , news , uucp , cron , authpriv , ftp , or local0 through local7). you can filter priorities by replacing the second asterisk with a priority level (debug, info, notice, warning, err, crit, alert, or emerg)
- @192.168.1.2:514 is the destination IP and port. A single “@” means UDP connexion – a double “@@” would indicate a TCP connexion.
Logging from files
Most application don’t use the system logging – and the above configuration won’t help. However, it is possible to configure rsyslog to read an application logging file and send it over to the remote server.
For example, if I want to send over contents of /var/log/grafana/grafana.log to remote host, I shall adapt rsyslog.conf as follows :
module(load="imfile" PollingInterval="10")
input(type="imfile" File="/var/log/grafana/grafana.log"
tag="grafana.log"
StateFile="/var/spool/rsyslog/statefile1"
Severity="debug"
Facility="local6")
References
Using text file input module
Redhat documentation on rsyslog