Rsyslog has replaced Syslog as the default logging daemon in RHEL6. Rsyslog was designed to complete with syslog-ng and has several enhancements over plain old syslog. This includes but is not limited to more granularity with timestamps, direct database logging, TCP support, and relay server names in host fields which makes it easier to track the path a message has taken.
Below we are going to take a look at a few simple rsyslog configuration items.
Configure Rsyslog to Accept Remote Logs.
Within /etc/rsyslog.conf, comment out either the TCP or UDP syslog reception lines below. TCP is more reliable, however UDP is more widely supported.
# Provides UDP syslog reception
# Provides TCP syslog reception
Configure a Server to Send Logs to a Remote Host.
To send all messages of info priority or higher to a remote host via udp, use the following format. Note that 10.1.224.34 is the remote server that I want to send logs to.
To send the same priorities to the remote host via TCP, use two "@@"
Note that you can specify the port number on which to send by using IP:PORT. When no port is specified the default port of 514 is used.
Note that depending on your configuration you may need to alter your IPtables configuration on your sending and/or receiving server. In my case I needed to allow UDP on port 514 on my remote syslog server. To accomplish this I used system-config-firewall-tui which added the following line to /etc/sysconfig/iptables.
-A INPUT -m state –state NEW -m udp -p udp –dport 514 -j ACCEPT
Which shows up as what you see below in the output of 'iptables -L'
ACCEPT udp – anywhere anywhere state NEW udp dpt:syslog
Testing Your Configuration
Ok lets send a test to our remote syslog server. Note that rsyslog has been restarted on both hosts.
# logger "testing to remote rsyslog server"
Checking the messages file on the remote host we can see that the test message has arrived.
Aug 13 14:55:26 vfatmin02 root: testing to remote rsyslog server