====== Rsyslog ======

**General Information**

Rsyslog administration and config. 

**Checklist**
  * Distro(s): Enterprise Linux 6
  * Other: Rsyslog installed (default)

----

===== Remote Logging with Rsyslog =====

How to send syslogs to a remote system using the RELP (Reliable Event Logging Protocol) module.

==== Prerequisites ====

Install the RELP module
<code bash>
yum -y install rsyslog-relp
</code>

----

==== Receiving Syslog System ====

Edit /etc/rsyslog.conf:
<code bash>
#### Modules ####
# Provides RELP syslog reception
$ModLoad imrelp
$InputRELPServerRun 10514

#### Rules ####
## Remote and local logging for local1 rule ##
local1.*  /opt/myapp/logs/applog.log
</code>

Restart rsyslog service
<code bash>
service rsyslog restart
</code>

----

==== Sending Syslog System ====

Create a directory to save spool files
<code bash>
mkdir -p /var/spool/rsyslog
chmod 700 -R /var/spool/rsyslog
</code>
  * This is used in case the rsyslog client cannot reach the rsyslog server. Messages are spooled in a file until it can be reached again.

Edit /etc/rsyslog.conf
<code bash>
## Load Module ##
$ModLoad omrelp

## Spool directory for all rules ##
$WorkDirectory /var/spool/rsyslog

## Local 1 forwarding rules ##
$ActionQueueFileName srvfwd-local1  # set rule's spool file name, also enables disk mode
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$ActionQueueType LinkedList   # use asynchronous processing
$ActionResumeRetryCount -1    # infinite retries on insert failure
local1.*       :omrelp:10.1.2.3:10514
## End local 1 rules ##
</code>
  * Warning: $ActionQueueFileName must be unique per ruleset/destination.

Restart rsyslog service
<code bash>
service rsyslog restart
</code>

----

==== Testing ====

Send test messages from client
<code bash>
logger -p local1.info "testing local1"
</code>

Check logs on receiver
<code bash>
grep testing /opt/myapp/logs/applog.log
</code>