Rsyslog

General Information

Rsyslog administration and config.

Checklist

• Distro(s): Enterprise Linux 6
• Other: Rsyslog installed (default)

How to send syslogs to a remote system using the RELP (Reliable Event Logging Protocol) module.

Install the RELP module

yum -y install rsyslog-relp

Edit /etc/rsyslog.conf:

#### Modules ####
# Provides RELP syslog reception
$ModLoad imrelp
$InputRELPServerRun 10514
 
#### Rules ####
## Remote and local logging for local1 rule ##
local1.*  /opt/myapp/logs/applog.log

Restart rsyslog service

service rsyslog restart

Create a directory to save spool files

mkdir -p /var/spool/rsyslog
chmod 700 -R /var/spool/rsyslog

• This is used in case the rsyslog client cannot reach the rsyslog server. Messages are spooled in a file until it can be reached again.

Edit /etc/rsyslog.conf

## Load Module ##
$ModLoad omrelp
 
## Spool directory for all rules ##
$WorkDirectory /var/spool/rsyslog
 
## Local 1 forwarding rules ##
$ActionQueueFileName srvfwd-local1  # set rule's spool file name, also enables disk mode
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
$ActionQueueType LinkedList   # use asynchronous processing
$ActionResumeRetryCount -1    # infinite retries on insert failure
local1.*       :omrelp:10.1.2.3:10514
## End local 1 rules ##

• Warning: $ActionQueueFileName must be unique per ruleset/destination.

Restart rsyslog service

service rsyslog restart

Send test messages from client

logger -p local1.info "testing local1"

Check logs on receiver

grep testing /opt/myapp/logs/applog.log