• VMware

    Learn about VMware virtualization for its products like vsphere ESX and ESXi, vCenter Server, VMware View, VMware P2V and many more

  • Linux

    Step by step configuration tutorials for many of the Linux services like DNS, DHCP, FTP, Samba4 etc including many tips and tricks in Red Hat Linux.

  • Database

    Learn installation and configuration of databases like Oracle, My SQL, Postgresql, etc including many other related tutorials in Linux.

  • How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux

    In my last article I had shared the steps to redirect specific log messages to a different log file using rsyslog

    In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose


    Below is my setup detail

    Server: 10.43.138.14 -> The one which will send message
    Client: 10.43.138.1 -> The one which will receive the message
    Below rpm must be installed on the client setup to validate the incoming message
    nmap-ncat




    Using TCP

    If you wish to transfer the system log files to remote server using tcp port then follow below list of steps

    With older version of rsyslog below syntax was used in the /etc/rsyslog.conf
    *.* @remote_server:port

    NOTE: Use single "@" here above as highlighted for TCP

    But this sytanx is deprecated and should not be used.
    Now we have new syntax available which gives us more number of options to be used.

    On Server (10.43.138.14)
    Add below content at the end of the file /etc/rsyslog.conf
    *.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")

    NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly

    You can tweak this to add some more arguments
    *.* action(type="omfwd"
    queue.type="LinkedList"
    action.resumeRetryCount="-1"
    queue.size="10000"
    queue.saveonshutdown="on"
    target="10.43.138.1" Port="10514" Protocol="tcp")

    queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.

    enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,

    the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,

    queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.

    Save and restart the rsyslog service
    # systemctl restart rsyslog

    On client side
    Add the provided port to the firewall
    # iptables -A INPUT -p tcp --dport 10514  -j ACCEPT

    Next open the port using nc
    # nc -l -p 10514 -4

    On Server side I send some dummy message
    # logger "testing message from 10.43.138.14"

    On client side
    <13>May 29 12:58:33 golinuxhub-client deepak: testing message from 10.43.138.14

    You should also start getting all your log messages from the server on your client.




    Using UDP

    If you wish to transfer the system log files to remote server using udp port then follow below list of steps

    With older version of rsyslog below syntax was used in the rsyslog.conf
    *.* @@remote_server:port

    NOTE: Use "@" twice here above as highlighted for UDP

    But this sytanx is deprecated and should not be used.
    Now we have new syntax available which gives us more number of options to be used.

    On Server (10.43.138.14)
    Add below content at the end of the file /etc/rsyslog.conf
    *.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="udp")

    NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly

    You can tweak this to add some more arguments
    *.* action(type="omfwd"
    queue.type="LinkedList"
    action.resumeRetryCount="-1"
    queue.size="10000"
    queue.saveonshutdown="on"
    target="10.43.138.1" Port="10514" Protocol="udp")

    queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.

    enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,

    the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,

    queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.

    Save and restart the rsyslog service
    # systemctl restart rsyslog






    On Client
    Enable or uncomment these two entires for the client to be able to receive the messages
    # vim /etc/rsyslog.conf
    $ModLoad imudp
    $UDPServerRun 514

    Followed by a restart of rsyslog service
    # systemctl restart rsyslog

    Next add the provided port to the firewall
    # iptables -A INPUT -p udp --dport 10514  -j ACCEPT

    And start listening to the port we are using (since this is a UDP port hence I have used -u)
    # nc -l -p 10514 -4 -u

    Now we are all set so lets send a message using logger from our server node
    # logger "Testing rsyslog message using udp port"

    Same appears on our client side
    <13>May 29 14:37:32 Ban17-be002-2b deepak: Testing rsyslog message using udp port

    I hope the article was useful.

    Deepak Prasad

    is a techie and an author who is still trying to survive in this IT generation with very little knowledge he has on Linux/Unix, VMware, SAN Storage, Automation, networking etc

    You can follow him on Facebook or Google+


    Do you also have something to share here?
    Join GoLinuxHub Team as an Author, Click here for more information
    How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux How to send log messages using rsyslog to remote server using tcp and udp ports (remote logging) in Red Hat Linux Reviewed by Deepak Prasad on Tuesday, May 29, 2018 Rating: 5

    No comments:

    Powered by Blogger.