Configure rsyslogd to forwards logs over a certain interface e.g. eth0

Latest response

On my RHEL 6.9 system, there are eth0, eth1, and eth2. When I configure rsyslogd to forward logs to a remote server (tcp, port 601), it is doing so over eth2. Is there a way to configure rsyslogd to forward logs over eth0 instead?

MA
Log in to join the conversation

Responses

PL Newbie 10 points
14 September 2018 5:40 AM

Hi Mollick,

Can you provide more information?

rsyslog server

ip addr ip route show

remote server

ip addr
MA Community Member 59 points
14 September 2018 2:44 PM

Hello Paul,

Thank you.

"ip route show" does show the default gateway is eth2, and that is probably why the rsyslogd traffic is going over that interface.

I know if I reconfigure my system to have eth0 as the default gateway, the rsyslogd traffic will be forwarded to the remote server (log collector) via eth0. However, I do not want to change the default gateway!

I was wondering if rsyslogd could be configured to use specific interface instead of using the systems default gateway. I won't be surprised if that is not possible!

James Nauer's picture Expert 823 points
18 September 2018 2:15 AM

This is not an issue that can be fixed in the 'rsyslog' configuration - this is a TCP routing issue (layer 3 networking). All you can do with 'rsyslog' is give it a specific hostname or IP address to send traffic to; exactly how that traffic is sent is up to the system's network configuration.

That said, it shouldn't be too hard to force the outgoing rsyslog traffic to go via the eth0 interface (as long as the network is set up to allow that - there must be a gateway (router) device on the subnet which is attached to eth0). I can't test this (don't have a triple-homed host), so please check "man ip-route" or "ip route help" for the details...but something like this should work:

ip route add (IP-of-remote-syslog-host)/32 via (IP-of-gateway-on-eth0)

(you may also have to add a "weight" parameter to force a higher priority than other routes defined on the system).

Be careful with this sort of configuration; it can lead to asymmetric routes, which can cause problems with firewalls. You might have to set an equivalent rule on the syslog host to make sure return traffic goes via the same path. Not to mention the general confusion among sysadmin and network admin staff caused by per-host unique routes.

MA Active Contributor 294 points
14 September 2018 6:14 PM

I'm not sure if rsyslogd can be configured for a specific interface or not, but what you are asking is limited by your network configuration really as opposed to rsyslogd.

I'm guessing you have something like this:

eth0 networkA (not routable)
eth1 networkB (not routable)
eth2 networkC (default gateway)

Any traffic with a destination on networkA will use eth0.
Any traffic with a destination on networkB will use eth1.
Any traffic with a destination on networkC or some other network routable from networkC will use eth2.

So, if your remote rsyslogd server is not on networkA, you can not use eth0 to send rsyslog traffic to it.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.