This worked fine on version:
Sending host CentOS 6.2 final 64-bit to receiving host CentOS 5.6 final 64-bit
To send logs to remote server (central log server et-al) add the following to the end of the /etc/syslog.conf/rsyslog.conf, best to explicity specify the port number as there is some sort of bug in certain version of syslog with port handling.
*.* @ ip_of_remote_server:514
then restart syslog
service syslog restart
That is it, if you are running newer versions of rsyslog, older version version are configured in a slightly different way.
You can change the syslogd compatabilty modes by editing /etc/sysconfig/rsyslog file, you change the “-c 4″ option to the version you want to use, the example below shows the lastest , if you want compatabilty with older versions change “-c 4″ to “-c 2″, or whatever version you want to use, lots caveats using older versions so I recommend reading the man pages. Also note, the compatabilty option always has to be the first option specified.
For a Linux machine (central log server et-al) to receive the logs file do the following:
Open UDP port 514
iptables -I RH-Firewall-1-INPUT -s 10.1.250.0/24 -m udp -p udp –dport 514 -j ACCEPT
Then save it to make it persistent after reboots:
service iptables restart
Check it has done what you expect
iptables -L -v
Check /etc/sysconfig/rsyslog is as follows (this is usually the default)
Add the following 2 lines to /etc/rsyslog.conf, these appear not to be presnt on a standard Linux install – note, the order is important
You may have to uncomment a bunch of stuff, for
A bunch of other stuff needs to be there as well, below is a copy of my modified rsyslog.conf
# Note since version 3 rsyslog requires to load plug-in modules to perform useful work (more about compatibilty notes v3).
# To load the most common plug-ins, add the following to the top of rsyslog.conf:
$ModLoad immark # provides –MARK– message capability <===uncomment this
$ModLoad imudp # provides UDP syslog reception <===uncomment this
$ModLoad imtcp # provides TCP syslog reception and GSS-API (if compiled to support it) <===uncomment this
# Provides UDP syslog reception
$ModLoad imudp.so <===uncomment this
$UDPServerAddress * <==== add this
$UDPServerRun 514 <==== add this
# Use traditional timestamp format
# Provides kernel logging support (previously done by rklogd)
# Provides support for local system logging (e.g. via logger command)
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
# The authpriv file has restricted access.
# Log all the mail messages in one place.
# Log cron stuff
# Everybody gets emergency messages
# Save news errors of level crit and higher in a special file.
# Save boot messages also to boot.log
# Provides UDP forwarding. The IP is the server’s IP address