Chained Syslog forwarding

rsyslogsyslog

Is there a way to chain syslog forwarding? For example, how can a clienthost forward its syslogs to ServerA and ServerA forward everything to CentralSyslogServer?

I'm using rsyslog.

The reason is that Server A is a dual homed machine which gets logs from other hosts which should all be stored in CentralSyslogServer. Currently CentralSyslogServer seems to only be getting ServerA's local logs but nothing that was forwarded to ServerA from the clienthost.

Resolved:

I had to edit /etc/sysconfig/syslog and add -h to the SYSLOGD_OPTIONS

My mistake – serverA is using syslogd

Best Answer

Yes you can:

In clienthost's rsyslog.conf:

*.* @@ServerA:514

In ServerA's rsyslog.conf:

*.* @@CentralSyslogServer:514

Of course, this is some really basic usage. Read the manual or online how-tos to get more advanced usage. Here's a little how-to about reliable forwarding with rsyslog.

To tell your servers to receive logs:

$ModLoad imtcp
$InputTCPServerRun 514

Related Solutions

Syslog forwarding loses original hostname

Personally I would recommend using syslog-ng for your internal server - it provides a whole lot more than rsyslog. Of specific interest in your case it provides some much better handling for managing / rewriting / etc for the hostnames.

If you decide to stick with rsyslog this configuration does preserve both the remote and local hostnames - it is what I used before switching to syslog-ng.

$ModLoad imuxsock.so
$ModLoad imklog.so      
$ModLoad imudp.so
$UDPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

I also was using the "-c 4" options in my init script, if it matters.

Forwarding from rsyslog to syslog-ng over TCP not working (although packets are reaching server)

Problem was tcpwrappers which was obvious once I set up a test syslog-ng instance and ran it with debug output turned on. Adding the following clause to /etc/hosts.allow did the trick

syslog-ng: 10.0.0.0/255.0.0.0

Also realised that we didn't handle syslog-ng's internal messages (which may well have told us what the problem was). Have now added the following lines to do this ...

# Deal with syslog-ng's own messages
source s_internal { internal(); };
destination d_internal {file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_internal); };

Best Answer

Related Solutions

Syslog forwarding loses original hostname

Forwarding from rsyslog to syslog-ng over TCP not working (although packets are reaching server)

Related Topic