How to configure remote logging with rsyslog

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5 (RHEL5)
  • Red Hat Enterprise Linux 6 (RHEL6) or later
  • rsyslog

Issue

  • How to configure remote logging with rsyslog
  • How to configure system to accept remote log messages in Red Hat Enterprise Linux
  • How to send remote log messages to another server with rsyslog
  • How to configure RHEV Hypervisor for remote logging using rsyslog

Resolution

In RHEL6 rsyslog is default logging daemon, in RHEL5 rsyslog is available but not installed by default.

  • Install rsyslog

    # yum -y install rsyslog

  • Configure rsyslog using TCP

    1. Configure the remote server to accept remote log messages using TCP.

      Uncomment the following lines in the MODULES section of /etc/rsyslog.conf, In RHEL5 you have to add the lines to beginning of /etc/rsyslog.conf:

      $ModLoad imtcp
$InputTCPServerRun 514

      Restart rsyslog.

      [root@server ~]# service rsyslog restart

      In RHEL5 first stop the default syslog deamon and after that restart rsyslog.

      [root@server ~]# service syslog stop
[root@server ~]# service rsyslog restart

    2. Configure the rsyslog to send rsyslog events to another server using TCP.

      Add the following line to the RULES section of /etc/rsyslog.conf or in RHEL5 at the end of the /etc/rsyslog.conf:

      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.*         @@10.10.10.1:514

      You can also specify the severity to send, for example info messages:

      *.info      @@10.10.10.1:514

      Restart rsyslog.

      [root@client ~]# service rsyslog restart

      In RHEL5 first stop the default syslog deamon and after that restart rsyslog.

      [root@client ~]# service syslog stop
[root@client ~]# service rsyslog restart

  • Configure the remote server to accept remote log messages using UDP.

    1. Configure the server to accept remote log messages using UDP.

      Uncomment the following lines in the MODULES section of /etc/rsyslog.conf, In RHEL5 you have to add the lines to beginning of /etc/rsyslog.conf:

      # Provides UDP syslog reception  
$ModLoad imudp
$UDPServerRun 514

      Restart rsyslog.

      [root@server ~]# service rsyslog restart

      In RHEL-5 first stop the default syslog deamon and after that restart the rsyslog.

      [root@server ~]# service syslog stop
[root@server ~]# service rsyslog restart

    2. Configure the rsyslog server to send rsyslog events to another server using UDP.

      Add the following line to the RULES section of /etc/rsyslog.conf or in RHEL5 at the end of the /etc/rsyslog.conf:

      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @remote-host:514
*.*         @10.10.10.1:514

      You can also specify the severity to send, for example info messages:

      *.info      @10.10.10.1:514

      Restart rsyslog.

      [root@client ~]# service rsyslog restart

      In RHEL5 first stop the default syslog deamon and after that restart the rsyslog.

      [root@client ~]# service syslog stop
[root@client ~]# service rsyslog restart

  • Test the configuration:

    On client (rsyslog sending out the messages):

    [root@client ~]# logger Test from system  
[root@client ~]# tail /var/log/messages  
Dec 25 00:00:01 client root: Test from system

    On server (rsyslog receiving the messages)

    [root@server ~]# tail /var/log/messages  
Dec 25 00:00:01 client root: Test from system

  • While not specifically rsyslog related, additional selinux changes are required if you would like to run rsyslog on a non-standard port. this additional configuration is not necessary under normal usage. In place of 'tcp 514', use the alternate protocol and port you wish to use.

# semanage port -l| grep syslog
syslogd_port_t                 udp      514
# semanage port -a -t syslogd_port_t -p tcp 514

Note: when configuring remote logging, please make sure to also review and configure action queues in order to avoid potential issues when the remote rsyslog server is unreachable.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.