How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux

In my last article I had shared the steps to redirect specific log messages to a different log file using rsyslog and to secure your ssh service using fail2ban on Linux.

In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose but again you have to understand the transfer here is not secure. To secure the channel for the transfer you must configure rsylog using TLS certificates.


Below is my setup detail

Server: 10.43.138.14 -> The one which will send message
Client: 10.43.138.1 -> The one which will receive the message

Below rpm must be installed on the client setup to validate the incoming message

nmap-ncat

Using TCP

If you wish to transfer the system log files to remote server using tcp port then follow below list of steps

With older version of rsyslog below syntax was used in the /etc/rsyslog.conf

*.* @remote_server:port

NOTE: Use single "@" here above as highlighted for TCP

But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.

On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf

*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")

NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly

You can tweak this to add some more arguments

*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="tcp")

queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.

enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,

the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,

queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.

Save and restart the rsyslog service

# systemctl restart rsyslog

On client side
Add the provided port to the firewall

# iptables -A INPUT -p tcp --dport 10514  -j ACCEPT

Next open the port using nc

# nc -l -p 10514 -4

On Server side I send some dummy message

# logger "testing message from 10.43.138.14"

On client side

<13>May 29 12:58:33 golinuxhub-client deepak: testing message from 10.43.138.14

You should also start getting all your log messages from the server on your client.

Using UDP

If you wish to transfer the system log files to remote server using udp port then follow below list of steps

With older version of rsyslog below syntax was used in the rsyslog.conf

*.* @@remote_server:port

NOTE: Use "@" twice here above as highlighted for UDP

But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.

On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf

*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="udp")

NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly

You can tweak this to add some more arguments

*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="udp")

queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.

enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,

the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,

queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.

Save and restart the rsyslog service

# systemctl restart rsyslog

On Client
Enable or uncomment these two entires for the client to be able to receive the messages

# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514

Followed by a restart of rsyslog service

# systemctl restart rsyslog

Next add the provided port to the firewall

# iptables -A INPUT -p udp --dport 10514  -j ACCEPT

And start listening to the port we are using (since this is a UDP port hence I have used -u)

# nc -l -p 10514 -4 -u

Now we are all set so lets send a message using logger from our server node

# logger "Testing rsyslog message using udp port"

Same appears on our client side

<13>May 29 14:37:32 Ban17-be002-2b deepak: Testing rsyslog message using udp port

I hope the article was useful.