Rsyslog : Output Logs to Remote Hosts2020/02/10 |
Configure Rsyslog to output logs to remote hosts.
This example based on environment like follows. +----------------------+ | +----------------------+ | [ Syslog Server ] |10.0.0.30 | 10.0.0.51| [ Syslog Client ] | | dlp.srv.world +----------+----------+ node01.srv.world | | | | | +----------------------+ +----------------------+ |
[1] | On Syslog Server, Configure to receive logs via TCP from remote hosts. |
[root@dlp ~]#
vi /etc/rsyslog.conf # line 24-25: uncomment module(load="imtcp") # needs to be done just once input(type="imtcp" port="514") # add setting to allow log senders
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
systemctl restart rsyslog |
[2] | On Syslog Server, if Firewalld is running, allow port. |
[root@dlp ~]# firewall-cmd --add-port=514/tcp --permanent success [root@dlp ~]# firewall-cmd --reload success |
[3] | Configure on Syslog Client Host. |
# in addition to existing settings (output to local log files), # send logs to remote host, too [root@node01 ~]# vi /etc/rsyslog.conf # add to the end action(type="omfwd" queue.filename="fwdRule_dlp.srv.world" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="dlp.srv.world" Port="514" Protocol="tcp") # for the case to send specific facility logs # for example, set [authpriv] [root@node01 ~]# vi /etc/rsyslog.conf # comment put existing line if you do not want to output to local filesystem #authpriv.* /var/log/secure authpriv.* action(type="omfwd" queue.filename="fwdRule_dlp.srv.world" queue.maxdiskspace="1g" queue.saveonshutdown="on" queue.type="LinkedList" action.resumeRetryCount="-1" Target="dlp.srv.world" Port="514" Protocol="tcp")[root@node01 ~]# systemctl restart rsyslog |
[4] | After configuration of above, Make sure logs from Syslog client Hosts are recorded on Syslog Server Host. |
[root@dlp ~]# tail /var/log/messages Feb 5 19:50:34 node01 rsyslogd[2022]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime [v8.37.0-13.el8 try http://www.rsyslog.com/e/2442 ] Feb 5 19:50:34 node01 systemd[1]: Started System Logging Service. Feb 5 19:50:34 node01 rsyslogd[2022]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="2022" x-info="http://www.rsyslog.com"] start Feb 5 19:54:37 node01 sssd[kcm][1970]: Shutting down Feb 5 19:59:39 node01 systemd[1]: Starting dnf makecache... Feb 5 19:59:40 node01 dnf[2037]: Metadata cache refreshed recently. Feb 5 19:59:40 node01 systemd[1]: Started dnf makecache. Feb 5 20:06:01 dlp systemd[1]: Starting dnf makecache... Feb 5 20:06:01 dlp dnf[2254]: Metadata cache refreshed recently. Feb 5 20:06:01 dlp systemd[1]: Started dnf makecache. |
Sponsored Link |
|