Centralized logging with rsyslog
Configuring the server to receive logs
Edit server config file:
sudo nano /etc/rsyslog.conf
Find the following lines:
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
Uncomment second, to use TCP connection.
Don't forget to enable port on firewall.
Check if port is open:
sudo ss -tulnp | grep "rsyslog"
To change default log storage location
In order not to store (and mix) all logs in /var/log , use this, defined in main conf file ( /etc/rsyslog.conf ):
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs
& ~
The $template RemoteLogs directive instructs Rsyslog to store all incoming log entries in the location that is defined by the third parameter.
In our case, the remote logs will continue to be stored in /var/log directory, but each client will have its own subdirectory with a name equivalent to client hostname.
This subdirectory will store each log entry in a file that matches the client program that generated it.
On the following line, the . ?RemoteLogs directive applies the RemoteLogs configuration rule at all facilities with all priority levels (in other words, to all logs).
Finally, the & ~ directive defines that Rsyslog stops processing log input after it is stored to a file defined in previous lines.
The default configuration will overwrite the previous rule without this line.
•
Forwarding logs from an Rsyslog client
edit /etc/rsyslog.d/50-default.conf
Add:
*.* @@<your_rsyslog_server_ip_address>:514
If you use @ it will use UDP port, @@ will use TCP port
such as cron. @@0.0.0.0:514 or apache2.* @@0.0.0.0:514.
You can also forward logs to more than one server
*.* @@0.0.0.0:514
*.* @@192.168.122.235
cron.* @@192.168.122.237:514
Top comments (0)