Rsyslog
General Information
Rsyslog administration and config.
Checklist
- Distro(s): Enterprise Linux 6
- Other: Rsyslog installed (default)
Remote Logging with Rsyslog
How to send syslogs to a remote system using the RELP (Reliable Event Logging Protocol) module.
Prerequisites
Install the RELP module
yum -y install rsyslog-relp
Receiving Syslog System
Edit /etc/rsyslog.conf:
#### Modules #### # Provides RELP syslog reception $ModLoad imrelp $InputRELPServerRun 10514 #### Rules #### ## Remote and local logging for local1 rule ## local1.* /opt/myapp/logs/applog.log
Restart rsyslog service
service rsyslog restart
Sending Syslog System
Create a directory to save spool files
mkdir -p /var/spool/rsyslog chmod 700 -R /var/spool/rsyslog
- This is used in case the rsyslog client cannot reach the rsyslog server. Messages are spooled in a file until it can be reached again.
Edit /etc/rsyslog.conf
## Load Module ## $ModLoad omrelp ## Spool directory for all rules ## $WorkDirectory /var/spool/rsyslog ## Local 1 forwarding rules ## $ActionQueueFileName srvfwd-local1 # set rule's spool file name, also enables disk mode $ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down $ActionQueueType LinkedList # use asynchronous processing $ActionResumeRetryCount -1 # infinite retries on insert failure local1.* :omrelp:10.1.2.3:10514 ## End local 1 rules ##
- Warning: $ActionQueueFileName must be unique per ruleset/destination.
Restart rsyslog service
service rsyslog restart
Testing
Send test messages from client
logger -p local1.info "testing local1"
Check logs on receiver
grep testing /opt/myapp/logs/applog.log