Rsyslog – Relay Only Remotely Received Messages

rsyslog

I am looking at building a syslog relay in order to move from my clients'-enforced UDP stream to TCP. Specifically, I would like to move from

client --UDP_PORT_999--> server1

to

client --UDP_PORT_999--> server1 --TCP_PORT_514--> server2

I found in the rssylog documentation both how to setup remote (client and server) syslog and how to correctly configure failover (in case where server2 is not available) but I do not know how to translate "forward to server2 only messages coming from a remote client" (or, alternatively, "forward to server2 only messages coming on port UDP 999"). In other words I would like to keep local syslog processing on server1 and simply proxy what comes in via UDP to outgoing messages via TCP.

I am not religiously attached to rsyslog so if there is a good way to set this up (including failover) on syslog-ng it would be perfect as well.

Thank you for any pointers!

WoJ

PS. I posted the question on the rsyslog forum just to realize afterwards that I will be probably better off posting my question here 🙂

EDIT: nxlog will be a better solution (see answer below & my comment)

Best Answer

I can also recommend you nxlog as its configuration allows you to more naturally define the flow what you specified above.

Config skeleton:

<Input udpin>
 Module im_udp
 ...
</Input>

<Output tcpout>
 Module om_tcp
 ...
</Output>

<Route forwarder>
 Path udpin => tcpout
</Route>

Related Solutions

Forwarding rsyslog to syslog-ng, with FQDN and facility separation

Okay, I found a way. It turns out the $ActionForwardDefaultTemplate by default is set to :

$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat

Per this rsyslog documentation, the RSYSLOG_ForwardFormat is specifically used to maintain interoperability between different syslogs. No shocker then that if you modify this Forward template as I described originally, some functionality for other syslogs break:

$template MyTemplate, "%timestamp% <FQDN> %syslogtag%%msg%"
$ActionForwardDefaultTemplate MyTemplate

The workaround I found was to dig up the back-end template that RSYSLOG_ForwardFormat uses and mimic it. After digging through the source I eventually found that RSYSLOG_ForwardFormat is actually this:

"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"

So, if I create a custom template with almost the same content, but substitute my FQDN in place of the %HOSTNAME% macro, syslog-ng facility separation works properly and the system logs with FQDN:

$template MyForwardTemplate, "<%PRI%>%TIMESTAMP% <fqdn> %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
$ActionForwardDefaultTemplate MyForwardTemplate

Rsyslog udp forwarding truncates at 2048 characters

UDP doesn't have sequence numbers, there would be no way to combine messages coherently (if they arrive out of order)

Syslog UDP Transport - https://www.rfc-editor.org/rfc/rfc5426

3.1. One Message Per Datagram

Each syslog UDP datagram MUST contain only one syslog message, which MAY be complete or truncated. The message MUST be formatted and truncated according to RFC 5424 [2]. Additional data MUST NOT be present in the datagram payload.

Related Topic