How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux
In my last article I had shared the steps to redirect specific log messages to a different log file using rsyslog and to secure your ssh service using fail2ban on Linux.
In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose
Below is my setup detail
With older version of rsyslog below syntax was used in the /etc/rsyslog.conf
NOTE: Use single "@" here above as highlighted for TCP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
On client side
Add the provided port to the firewall
Next open the port using nc
On Server side I send some dummy message
On client side
You should also start getting all your log messages from the server on your client.
With older version of rsyslog below syntax was used in the rsyslog.conf
NOTE: Use "@" twice here above as highlighted for UDP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
On Client
Enable or uncomment these two entires for the client to be able to receive the messages
Followed by a restart of rsyslog service
Next add the provided port to the firewall
And start listening to the port we are using (since this is a UDP port hence I have used -u)
Now we are all set so lets send a message using logger from our server node
Same appears on our client side
I hope the article was useful.
In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose
Below is my setup detail
Server: 10.43.138.14 -> The one which will send message
Client: 10.43.138.1 -> The one which will receive the message
Below rpm must be installed on the client setup to validate the incoming messageClient: 10.43.138.1 -> The one which will receive the message
nmap-ncat
Using TCP
If you wish to transfer the system log files to remote server using tcp port then follow below list of stepsWith older version of rsyslog below syntax was used in the /etc/rsyslog.conf
*.* @remote_server:port
NOTE: Use single "@" here above as highlighted for TCP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="tcp")
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="tcp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
# systemctl restart rsyslog
On client side
Add the provided port to the firewall
# iptables -A INPUT -p tcp --dport 10514 -j ACCEPT
Next open the port using nc
# nc -l -p 10514 -4
On Server side I send some dummy message
# logger "testing message from 10.43.138.14"
On client side
<13>May 29 12:58:33 golinuxhub-client deepak: testing message from 10.43.138.14
You should also start getting all your log messages from the server on your client.
Using UDP
If you wish to transfer the system log files to remote server using udp port then follow below list of stepsWith older version of rsyslog below syntax was used in the rsyslog.conf
*.* @@remote_server:port
NOTE: Use "@" twice here above as highlighted for UDP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="udp")
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="udp")
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="udp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
# systemctl restart rsyslog
On Client
Enable or uncomment these two entires for the client to be able to receive the messages
# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
$ModLoad imudp
$UDPServerRun 514
Followed by a restart of rsyslog service
# systemctl restart rsyslog
Next add the provided port to the firewall
# iptables -A INPUT -p udp --dport 10514 -j ACCEPT
And start listening to the port we are using (since this is a UDP port hence I have used -u)
# nc -l -p 10514 -4 -u
Now we are all set so lets send a message using logger from our server node
# logger "Testing rsyslog message using udp port"
Same appears on our client side
<13>May 29 14:37:32 Ban17-be002-2b deepak: Testing rsyslog message using udp port
I hope the article was useful.
How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux
Reviewed by Deepak Prasad
on
Tuesday, May 29, 2018
Rating:
No comments: