Linux – sending log files to a remote server

This worked fine on version:
Sending host CentOS 6.2 final 64-bit to receiving host CentOS 5.6 final 64-bit

Sending
To send logs to remote server (central log server et-al) add the following to the end of the /etc/syslog.conf/rsyslog.conf, best to explicity specify the port number as there is some sort of bug in certain version of syslog with port handling.

*.* @ ip_of_remote_server:514

then restart syslog
service syslog restart

That is it, if you are running newer versions of rsyslog, older version version are configured in a slightly different way.

You can change the syslogd compatabilty modes by editing /etc/sysconfig/rsyslog file, you change the “-c 4” option to the version you want to use, the example below shows the lastest , if you want compatabilty with older versions change “-c 4” to “-c 2”, or whatever version you want to use, lots caveats using older versions so I recommend reading the man pages. Also note, the compatabilty option always has to be the first option specified.

SYSLOGD_OPTIONS=”-c 4″

Receiving
For a Linux machine (central log server et-al) to receive the logs file do the following:

Open UDP port 514
iptables -I RH-Firewall-1-INPUT -s 10.1.250.0/24 -m udp -p udp –dport 514 -j ACCEPT

Then save it to make it persistent after reboots:
/etc/initit.d/iptables save

Restart iptables
service iptables restart

Check it has done what you expect
iptables -L -v

Check /etc/sysconfig/rsyslog is as follows (this is usually the default)
SYSLOGD_OPTIONS=”-c 4″

Add the following 2 lines to /etc/rsyslog.conf, these appear not to be presnt on a standard Linux install – note, the order is important
$UDPServerAddress *
$UDPServerRun 514

You may have to uncomment a bunch of stuff, for

A bunch of other stuff needs to be there as well, below is a copy of my modified rsyslog.conf

# Note since version 3 rsyslog requires to load plug-in modules to perform useful work (more about compatibilty notes v3).
# To load the most common plug-ins, add the following to the top of rsyslog.conf:

$ModLoad immark # provides –MARK– message capability   <===uncomment this
$ModLoad imudp # provides UDP syslog reception   <===uncomment this
$ModLoad imtcp # provides TCP syslog reception and GSS-API (if compiled to support it)   <===uncomment this

# Provides UDP syslog reception
$ModLoad imudp.so   <===uncomment this
$UDPServerAddress *    <==== add this
$UDPServerRun 514    <==== add this

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don’t log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# Provides UDP forwarding. The IP is the server’s IP address

Advertisements

About hedscratchers

A UK ex-pat now living in the USA.
This entry was posted in Linux & Solaris. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s