Sending logs to a remote syslog server.

I’m trying to setting up a SLES server to send logs to a remote server via rsyslog.
Rsyslog has installed. I’ve tried to add . @@172.29.39.10:514 to configuration files /etc/rsyslog.conf and /etc/rsyslog.d/remote.conf. After restarting service (service rsyslog restart) there aren’t any activites of 514 port. I check by netstat -antpu.
There aren’t any messages in /var/log/messages related rsyslog.
Please help!
/etc/sysconfig/syslog is by default:
RSYSLOGD_PARAMS=""
Command output: # cat /etc/rsyslog.conf | grep -vE ‘(#|^$)’

$ModLoad immark.so $MarkMessagePeriod 3600 $ModLoad imuxsock.so $RepeatedMsgReduction on $ModLoad imklog.so $klogConsoleLogLevel 1 $IncludeConfig /run/rsyslog/additional-log-sockets.conf $IncludeConfig /etc/rsyslog.d/*.conf if ( \\ /* kernel up to warning except of firewall */ \\ ($syslogfacility-text == 'kern') and \\ ($syslogseverity <= 4 /* warning */ ) and not \\ ($msg contains 'IN=' and $msg contains 'OUT=') \\ ) or ( \\ /* up to errors except of facility authpriv */ \\ ($syslogseverity <= 3 /* errors */ ) and not \\ ($syslogfacility-text == 'authpriv') \\ ) \\ then { /dev/tty10 |/dev/xconsole } *.emerg :omusrmsg:* if ($syslogfacility-text == 'kern') and \\ ($msg contains 'IN=' and $msg contains 'OUT=') \\ then { -/var/log/firewall stop } if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \\ ($syslogseverity <= 5 /* notice */) \\ then { -/var/log/acpid stop } if ($programname == 'NetworkManager') or \\ ($programname startswith 'nm-') \\ then { -/var/log/NetworkManager stop } mail.* -/var/log/mail mail.info -/var/log/mail.info mail.warning -/var/log/mail.warn mail.err /var/log/mail.err news.crit -/var/log/news/news.crit news.err -/var/log/news/news.err news.notice -/var/log/news/news.notice *.=warning;*.=err -/var/log/warn *.crit /var/log/warn *.*;mail.none;news.none -/var/log/messages local0.*;local1.* -/var/log/localmessages local2.*;local3.* -/var/log/localmessages local4.*;local5.* -/var/log/localmessages local6.*;local7.* -/var/log/localmessages *.* @@172.29.39.10:514

Hi bm_rec,

as there are always two syslogs involved for remote syslogging, it’d be helpful if you distinguish between the two when describing your activity :wink:

adding “. @@172.29.39.10:514” to the initiating syslog daemon (the one sending the messages) should be sufficient to get the log entries sent to 172.29.39.10 via TCP.

You might want to verify operations by using tcpdump (i.e. “tcpdump -nvv -i eth99 port 514”, if traffic to 172.29.39.10 travels via eth99), you should see packets going from your box to 172.29.39.10 when i.e. invoking “logger testmessage”.

You won’t see anything special in that local server’s syslog files, though: Sending messages to the remote syslog server is “on top”.

On the receiving end, the syslog daemon will have to be configured to accept remote syslog messages and to receive them via TCP.(see “man 5 rsyslog.conf” for details). Additionally, I usually recommend to spend some thoughts on how you’d like the receiving syslog to output the messages - typically, it’s not desirable to have all messages of all remote syslogs to go into a combined messages file. But that’s a different story, you can do that once you confirmed that message passing works at all.

Regards,
J

Agreed with everything here, and wanted to add to make sure that you open
the socket in the firewall where the target system is listening for
events, as otherwise it will be blocked.

Based on the use of ‘rsyslog’ I also presume you are on SLES 12, but
confirming the SP, and version of the rsyslog package, may be useful.
Along with that you may want to be sure that the target system is
configured to listen on all addresses, and not just on local addresses, as
otherwise opening the firewall may not be enough:

/usr/sbin/ss -planeto | grep rsyslog


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

Thanks, jmozdzen and ab!
I’ve added . @@172.29.39.10:514 to the end of /etc/sysconfig/syslog , restarted service and it works!
Firewall is turned off.

Hi bm_rec,

[QUOTE=bm_rec;38093]Thanks, jmozdzen and ab!
I’ve added . @@172.29.39.10:514 to the end of /etc/sysconfig/syslog , restarted service and it works!
Firewall is turned off.[/QUOTE]

you sure? /etc/sysconfig/syslog usually doesn’t contain any syslog configuration file settings, but rather environment variables used by the service startup.

Your config statement rather belongs into /etc/rsyslog.d/remote.conf.

Regards,
Jens

Hm, I’ve added . @@172.29.39.10:514 to /etc/rsyslog.d/remote.conf on another server and it works. Strange…

Hi bm_rec,

you lost me :slight_smile:

Hm, I’ve added . @@172.29.39.10:514 to /etc/rsyslog.d/remote.conf on another server and it works. Strange…

So the central syslog server works (I’ll call it “server R”) and a certain remote client (I’ll call it server B) can actually send syslog messages to that central syslog server R.

I’ve added . @@172.29.39.10:514 to the end of /etc/sysconfig/syslog , restarted service and it works!

That was for the server you’ve started this thread for (I’ll call it server A) - now does remote syslogging work for this “server A” at the moment, or does it still fail? And if it works, where (at the moment) is/are this rsyslog config statement(s) added - I’ve ssen you mention /etc/rsyslog.conf, /etc/rsyslog.d/remote.conf and /etc/sysconfig/syslog.

Or the other way around: What’s “strange” at the moment? Because, in the world of computers, “strange” seems to be a rather common but is not a helpful state :smiley:

Regards,
J