Home / ubuntu / Questions / 562505
In Process
Roboman1723
Asked: 2014-12-18 07:21:53 +0800 CST

How to use rsyslog?

  • 772

I've been scouring forums for a few hours and cannot find a concrete explanation on how to use rsyslog. I really just need the basics.

I have a log file logFile.log and I want to forward the logs to server2 on port 514. How would I setup rsyslog to do this? I will provide any extra information as needed.

12.04

1 Answers

  1. Well I see a few people checking this question out and I figured out how to do it. So I'll make a small beginner's guide to rsyslog.

    If you just want to forward syslog data to a remote server:

    Add this line to the bottom of /etc/rsyslog.d/50-default.conf (based on protocol):

    UDP: *.* @remoteserverIP:PORT #usually port 514

    TCP: *.* @@remoteserverIP:PORT #usually port 514

    Add these lines to a .conf file you create in /etc/rsyslog.d/

    $ModLoad imfile
$InputFileName /var/log/test   #change this to desired input
$InputFileTag test             #change filetag
$InputFileStateFile stat-test  
$InputFileSeverity info        #log severity
InputRunFileMonitor           
*.* @remoteserverIP:PORT       #change to remote server

    Restart rsyslog

    sudo service rsyslog restart

    Then on the remote (logging) server you need to edit the /etc/rsyslog.conf file to listen for traffic. The top of the file will have these sections:

    # provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

    Uncomment the section for the appropriate protocol.

    At the end of the file you'll probably want to include some sort of filtering template so the logs get parsed out into files based on where they came from. Here's an example:

    $template FILENAME,"/var/log/%fromhost-ip%/access.log
*.* ?FILENAME

    Save the file and restart the service on this machine.

    Hopefully this works for all of you!

    • 3