In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose but again you have to understand the transfer here is not secure. To secure the channel for the transfer you must configure rsylog using TLS certificates.
Below is my setup detail
Client: 10.43.138.1 -> The one which will receive the message
Below rpm must be installed on the client setup to validate the incoming message
Using TCP
If you wish to transfer the system log files to remote server using tcp port then follow below list of steps
With older version of rsyslog below syntax was used in the /etc/rsyslog.conf
NOTE: Use single "@" here above as highlighted for TCP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="tcp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
On client side
Add the provided port to the firewall
Next open the port using nc
On Server side I send some dummy message
On client side
You should also start getting all your log messages from the server on your client.
Using UDP
If you wish to transfer the system log files to remote server using udp port then follow below list of steps
With older version of rsyslog below syntax was used in the rsyslog.conf
NOTE: Use "@" twice here above as highlighted for UDP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="udp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
On Client
Enable or uncomment these two entires for the client to be able to receive the messages
$ModLoad imudp
$UDPServerRun 514
Followed by a restart of rsyslog service
Next add the provided port to the firewall
And start listening to the port we are using (since this is a UDP port hence I have used -u)
Now we are all set so lets send a message using logger from our server node
Same appears on our client side
I hope the article was useful.