====== Rsyslog ======
**General Information**
Rsyslog administration and config.
**Checklist**
* Distro(s): Enterprise Linux 6
* Other: Rsyslog installed (default)
----
===== Remote Logging with Rsyslog =====
How to send syslogs to a remote system using the RELP (Reliable Event Logging Protocol) module.
==== Prerequisites ====
Install the RELP module
yum -y install rsyslog-relp
----
==== Receiving Syslog System ====
Edit /etc/rsyslog.conf:
#### Modules ####
# Provides RELP syslog reception
$ModLoad imrelp
$InputRELPServerRun 10514
#### Rules ####
## Remote and local logging for local1 rule ##
local1.* /opt/myapp/logs/applog.log
Restart rsyslog service
service rsyslog restart
----
==== Sending Syslog System ====
Create a directory to save spool files
mkdir -p /var/spool/rsyslog
chmod 700 -R /var/spool/rsyslog
* This is used in case the rsyslog client cannot reach the rsyslog server. Messages are spooled in a file until it can be reached again.
Edit /etc/rsyslog.conf
## Load Module ##
$ModLoad omrelp
## Spool directory for all rules ##
$WorkDirectory /var/spool/rsyslog
## Local 1 forwarding rules ##
$ActionQueueFileName srvfwd-local1 # set rule's spool file name, also enables disk mode
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$ActionQueueType LinkedList # use asynchronous processing
$ActionResumeRetryCount -1 # infinite retries on insert failure
local1.* :omrelp:10.1.2.3:10514
## End local 1 rules ##
* Warning: $ActionQueueFileName must be unique per ruleset/destination.
Restart rsyslog service
service rsyslog restart
----
==== Testing ====
Send test messages from client
logger -p local1.info "testing local1"
Check logs on receiver
grep testing /opt/myapp/logs/applog.log