The only thing you need in rsyslog.conf
to forward to a remote IP address is
*.* @@192.0.2.25:514;
Regarding your other question...
I tried executing logger -p cron.info TEST on the client machine and found nothing is added to /var/log/cron!
Be sure you restart rsyslogd after changing the configuration; you also need to be sure that /var/log/cron
exists.
EDIT
To demonstrate what successful log entries look like, I started rsyslogd
with rsyslogd -c4 -d
; this sends all debugging to my ssh session. I am logging cron.info
to /var/log/syslog
. In a different ssh session, I ran logger -p cron.info "my test again"
... this is what I see before it logs successfully to /var/log/syslog
...
4578.692833385:b6d8fb70: Message from UNIX socket: #3
4578.692906216:b6d8fb70: logmsg: flags 4, from 'Bucksnort', msg Jul 15 10:02:58 mpenning: my test again
4578.692936284:b6d8fb70: Message has legacy syslog format.
4578.692977796:b6d8fb70: main Q: entry added, size now 1 entries
4578.693017277:b6d8fb70: wtpAdviseMaxWorkers signals busy
4578.693079869:b6d8fb70: main Q: EnqueueMsg advised worker start
4578.693117891:b6d8fb70: --------imuxsock calling select, active file descriptors (max 5): 3 5
4578.693210533:b7590b70: main Q: entry deleted, state 0, size now 0 entries
4578.693246128:b7590b70: testing filter, f_pmask 0
4578.693269892:b7590b70: testing filter, f_pmask 255
4578.693296429:b7590b70: Called action, logging to builtin-file
4578.693340007:b7590b70: file to log to: /var/log/syslog
4578.693369336:b7590b70: doWrite, pData->pStrm 0x96b6268, lenBuf 50
4578.693400172:b7590b70: strm 0x96b6268: file 7(syslog) flush, buflen 50
4578.693487314:b7590b70: strm 0x96b6268: file 7 write wrote 50 bytes
4578.693512965:b7590b70: testing filter, f_pmask 0
4578.693530524:b7590b70: testing filter, f_pmask 0
4578.693547988:b7590b70: testing filter, f_pmask 0
4578.693564966:b7590b70: testing filter, f_pmask 0
4578.693581783:b7590b70: testing filter, f_pmask 0
4578.693599197:b7590b70: testing filter, f_pmask 0
4578.693616153:b7590b70: testing filter, f_pmask 0
4578.693632854:b7590b70: testing filter, f_pmask 0
4578.693649647:b7590b70: testing filter, f_pmask 0
4578.693666837:b7590b70: testing filter, f_pmask 0
4578.693683852:b7590b70: testing filter, f_pmask 0
4578.693700593:b7590b70: testing filter, f_pmask 128
4578.693717070:b7590b70: testing filter, f_pmask 0
4578.693734486:b7590b70: testing filter, f_pmask 1
4578.693751624:b7590b70: testing filter, f_pmask 240
4578.693769534:b7590b70: Called action, logging to builtin-pipe
4578.693791155:b7590b70: (/dev/xconsole)
4578.693820288:b7590b70: main Q:Reg/w0: worker IDLE, waiting for work.
UDP doesn't have sequence numbers, there would be no way to combine messages coherently (if they arrive out of order)
Syslog UDP Transport - https://www.rfc-editor.org/rfc/rfc5426
3.1. One Message Per Datagram
Each syslog UDP datagram MUST contain only one syslog message, which
MAY be complete or truncated. The message MUST be formatted and
truncated according to RFC 5424 [2]. Additional data MUST NOT be
present in the datagram payload.
Best Answer
Probably you should send the message without the hostname (foo) and in rfc3164 format (not rfc5424 as the above) to get it parsed.