rsyslog: forward messages to remote server

This tutorials tells how rsyslog is configured to send syslog messages over the network via TCP to a remote server. No advanced topics are covered. We use CentOS 7. This is part of a rsyslog tutorial series.

Scope

We will configure an end node (here: LR) to send messages via TCP to a remote syslog server. We do not apply local pre-filtering and we want to make only minimal changes to the CentOS 7 default configuration. In our base lab scenario, this will lead to the following configuration:

Prerequisites

You need to

Setup

We will start by making minimal changes to /etc/rsyslog.conf on LR. The default configuration already contains commented-out configuration bits that we can use for our needs:

The selected text shows the basic elements you need to use to forward to the syslog server. All you actually need to do is uncomment those lines and adjust hostname (or IP address) and port number.

Note: the port number must match the port configured at the server side. For almost all simple cases, port 514 (or 10514) is suggested. In our tutorials, we consistently use 514.

The CentOS default configuration unfortunately is provided in obsolete legacy format. For the time being we will use it as-is. We will discuss the drawbacks a bit later.

To do the configuration change

  • uncomment the lines
  • save the configuration
  • make rsyslog use the new configuration

Checking everything works

In order to ensure everything works correctly, you need to verify proper operation. Note that the intended outcome is that the message is still seen in the local log files and also forwarded to the server. If you followed our tutorial steps, the server will at this stage also write the message to it’s local log files. So to verify everything works, the message must show up both on the local and remote machine.

Remote (top) and local (bottom) machine after connectivity test.

If you do not achieve this result, double check your setup. Ensure that you did not mix up client (LC) and server (LR) roles. Note that the version of rsyslog shipped with CentOS 7 does not issue a warning message if it cannot reach the remote machine. This makes troubleshooting somewhat more problematic. Newer versions of rsyslog emit warnings.

If you think everything is correct, try using netcat on the remote machine (just as in the previous tutorial) and copy&paste the server name or address and port number to the nc command line. If that does not work, go back to the previous tutorial and ensure everything, including all tests, work correctly after a reboot of both LC and LR.

Result

LC will now send its messages to the remote server LR. As you have verified, the messages are currently written both the LC and LR log files.

However, you have just commented out some pre-existing config lines and possibly do not really know what is going on. This is acceptable if your main goal is to get this going. If you need to actually understand the configuration, you need to dig deeper. You can use the next section to do so. All others might stop reading here (or skip to the next tutorial).

Understanding the Configuration

TBD

Leave a Reply

Your email address will not be published. Required fields are marked *