CentOS 8
Sponsored Link

Rsyslog : Output Logs to Remote Hosts2020/02/10
 
Configure Rsyslog to output logs to remote hosts.
This example based on environment like follows. 
+----------------------+          |          +----------------------+
| [  Syslog Server   ] |10.0.0.30 | 10.0.0.51| [  Syslog Client   ] |
|    dlp.srv.world     +----------+----------+   node01.srv.world   |
|                      |                     |                      |
+----------------------+                     +----------------------+
[1] On Syslog Server, Configure to receive logs via TCP from remote hosts.
[root@dlp ~]#
vi /etc/rsyslog.conf
# line 24-25: uncomment

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
# add setting to allow log senders

$AllowedSender TCP, 127.0.0.1, 10.0.0.0/24, *.srv.world
[root@dlp ~]#
systemctl restart rsyslog

[2] On Syslog Server, if Firewalld is running, allow port.
[root@dlp ~]#
firewall-cmd --add-port=514/tcp --permanent

success
[root@dlp ~]#
firewall-cmd --reload

success
[3] Configure on Syslog Client Host.
# in addition to existing settings (output to local log files),

# send logs to remote host, too

[root@node01 ~]#
vi /etc/rsyslog.conf
# add to the end

action(type="omfwd"
       queue.filename="fwdRule_dlp.srv.world"
       queue.maxdiskspace="1g"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="dlp.srv.world" Port="514" Protocol="tcp")
# for the case to send specific facility logs

# for example, set [authpriv]

[root@node01 ~]#
vi /etc/rsyslog.conf
# comment put existing line if you do not want to output to local filesystem

#authpriv.*                   /var/log/secure
authpriv.* action(type="omfwd"
       queue.filename="fwdRule_dlp.srv.world"
       queue.maxdiskspace="1g"
       queue.saveonshutdown="on"
       queue.type="LinkedList"
       action.resumeRetryCount="-1"
       Target="dlp.srv.world" Port="514" Protocol="tcp")
[root@node01 ~]#
systemctl restart rsyslog

[4] After configuration of above, Make sure logs from Syslog client Hosts are recorded on Syslog Server Host.
[root@dlp ~]#
tail /var/log/messages 

Feb  5 19:50:34 node01 rsyslogd[2022]: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.37.0-13.el8 try http://www.rsyslog.com/e/2442 ]
Feb  5 19:50:34 node01 systemd[1]: Started System Logging Service.
Feb  5 19:50:34 node01 rsyslogd[2022]: [origin software="rsyslogd" swVersion="8.37.0-13.el8" x-pid="2022" x-info="http://www.rsyslog.com"] start
Feb  5 19:54:37 node01 sssd[kcm][1970]: Shutting down
Feb  5 19:59:39 node01 systemd[1]: Starting dnf makecache...
Feb  5 19:59:40 node01 dnf[2037]: Metadata cache refreshed recently.
Feb  5 19:59:40 node01 systemd[1]: Started dnf makecache.
Feb  5 20:06:01 dlp systemd[1]: Starting dnf makecache...
Feb  5 20:06:01 dlp dnf[2254]: Metadata cache refreshed recently.
Feb  5 20:06:01 dlp systemd[1]: Started dnf makecache.
Matched Content