Basic set up of rsyslog

General support questions
Post Reply
vinmansbrew
Posts: 28
Joined: 2016/10/06 20:12:33

Basic set up of rsyslog

Post by vinmansbrew » 2017/09/25 13:54:06

I need to set up a syslog server for a number of client machines to send to. Seems like it should be straight-forward, but searches come up with simple things from just uncommenting a few lines in /etc/rsyslog, to big setups that require installing mysql/php/httpd, ect.
I just need to know what is required to set up rsyslog so that clients can dump logs to it, and how to make it so that each client dumps its logs into a separate folder. Maybe something like logstash would be better for that part?

Oh, the servers are on different subnets, so any info on the firewall ports would possibly be helpful.
Also, the logserver is 6.9.

To add a small bit of info, I can telnet to the host on port 514 from 2 different subnets. So, rsyslog is listening on 514. I know, shut off telnet, I just did it to verify connection. So, that part is going on the server.
Thanks!

vinmansbrew
Posts: 28
Joined: 2016/10/06 20:12:33

Re: Basic set up of rsyslog

Post by vinmansbrew » 2017/09/26 19:23:16

Just to keep it cleaner.
I changed rsyslog to udp. Udp does listen, and if a client is pointed to the logserver, I seem to get logs.

I tried to put this rule in rsyslog.d/*.conf, but I had to # the first line. It made the directory, remote, and did drop a burst of logs in, but then stopped.

module(load="imudp")

input(type="imudp" port="514" ruleset="RemoteDevice")

template(name="DynFile" type="string" string="/var/log/remote/system-%FROMHOST-IP%.log")

ruleset(name="RemoteDevice"){

action(type="omfile" dynaFile="DynFile")

}

Anyone got an idea why?

vinmansbrew
Posts: 28
Joined: 2016/10/06 20:12:33

Re: Basic set up of rsyslog

Post by vinmansbrew » 2017/09/27 19:01:50

Ok, since I never heard anything, maybe this will be somewhat useful.

I uncommented the 2 udp lines in rsyslog.conf

put this in the rsyslog.d/*.conf

#module(load="imudp")

input(type="imudp" port="514" ruleset="Remote")

template(name="DynFile" type="string" string="/var/log/remote/%FROMHOST-IP%.log")

ruleset(name="Remote"){

action(type="omfile" dynaFile="DynFile")

}

put in rsyslog 514/udp and commented syslog 514/udp in etc/services

So far , the one client I configed to send logs, does seem to be sending, and the logserver made the file and is getting the logs.

Post Reply