rsyslog on Debian – How to Enable Remote Listening

debianrsyslogsyslog

I'm configuring a Debian Squeeze server to receive syslog from some appliances, but rsyslog is refusing to listen to UDP 514.

The closest I have been able to get from it is to make it listen to TCP 514 with -c2 -r -t514. I haven't found any combination of parameters that got it listening on UDP.

Squeeze's rsyslog version is 4.6.4-2.

Best Answer

In your /etc/rsyslog.conf:

$ModLoad imudp.so
$UDPServerRun 514

Then in your rsyslogd start options (/etc/sysconfig/rsyslog on RHEL-based distros, not sure where it resides in Debian-based ones), you need to add -r514 to SYSLOGD_OPTIONS.

Related Solutions

Linux – How to stop syslog from listening to 514 on CentOS 5.8

I just did some testing, and while the port is definitely opened by syslogd, it doesn't look like it's actually handling or logging any activity directed to it on UDP 514. You can verify this by sending data with netcat:

topher@nexus:~$ nc -u localhost 514
This is a test.
This is another test.
^C

And then checking the logfile. I tested it on two RHEL5 boxes, and if -r isn't used, it won't actually process the logs.

Update: Another solution (or, really, work-around) that I just thought of would be to install rsyslog (or syslog-ng) as a replacement syslog daemon for the default sysklogd. Neither of these alternate syslog daemons suffer from the bug described above.

rsyslog is the default syslog daemon with RHEL 6.x, and is available as a supported package for RHEL/CentOS 5.2+. rsyslog is under active development (sysklogd is not, and hasn't been for years). rsyslog also supports many advanced features and functionality. As mentioned, with RHEL/CentOS 5.2+, switching from the stock syslogd to rsyslog is as easy as yum install rsyslog.

If you do decide on replacing your syslog daemon, and you want something cleaner and more flexible (in my opinion), Syslog-NG is worth taking a look at. The config file doesn't maintain backwards compatibility with the old syslog.conf (rsyslog does), so it can seem a little complicated at first glance, but for complex or advanced logging setups (especially at a central loghost), Syslog-NG is an excellent choice.

Ssl – rsyslog starttls ssl

According to rsyslog'd documentation the gtls driver supports EITHER unencrypted transmission just like the ptcp driver does with InputTCPServerStreamDriverMode set to 0, or TLS mode with it set to 1.

It also states:

Note: mode 0 does not provide any benefit over the ptcp driver. This mode exists for technical reasons, but should not be used. It may be removed in the future.

Thus it appears you have to choose encrypted or not encrypted, at least for a particular IP address+port combination. So you will have to setup two ports, one using the ptcp driver, and one with the gtls driver. Or if every system you have logging supports encryption, only use encrypted syslog connections.

Best Answer

Related Solutions

Linux – How to stop syslog from listening to 514 on CentOS 5.8

Ssl – rsyslog starttls ssl

Related Topic