Rsyslogd configuration – sending syslog files to a remote host

Uncategorized

Abstract

This article shows how rsyslogd.conf must be configured on both machines to send syslog messages from machine A to machine B using UDP.

Log Server configuration

Uncomment the following two lines in /etc/rsyslog.conf

Ubuntu

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Redhat

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Then restart the service with service rsyslog restart
You should now see that your server listens on port 514
# netstat -an |egrep '^udp.*514'
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*

Log Client configuration

Client configuration can be done either on /etc/rsyslog.conf, or in one of the files in /etc/rsyslog.d/ directory.

In order to send all logs to the server, you provide a filter and a destination like this :
*.* @192.168.1.2:514

I think it is worth a little explanation

  • *.* is the “FACILITY”.”PRIORITY” filter – it means that we actually dont filter anything. You can filter facilities by replacing the first asterisk with any of the facilities value (kern , user , mail , daemon , auth , syslog , lpr , news , uucp , cron , authpriv , ftp , or local0 through local7). you can filter priorities by replacing the second asterisk with a priority level (debug, info, notice, warning, err, crit, alert, or emerg)
  • @192.168.1.2:514 is the destination IP and port. A single “@” means UDP connexion – a double “@@” would indicate a TCP connexion.

Logging from files

Most application don’t use the system logging – and the above configuration won’t help.  However, it is possible to configure rsyslog to read an application logging file and send it over to the remote server.

For example, if I want to send over contents of /var/log/grafana/grafana.log to remote host, I shall adapt rsyslog.conf as follows :

module(load="imfile" PollingInterval="10")
input(type="imfile" File="/var/log/grafana/grafana.log"
tag="grafana.log"
StateFile="/var/spool/rsyslog/statefile1"
Severity="debug"
Facility="local6")

References

Using text file input module
Redhat documentation on rsyslog

Leave a comment