0

I have an Ubuntu server that will be running rsyslog and many "client" devices and applications sending logs to it (via various syslog clients).

I know that rsyslog logs everything to /var/log, but ideally I could "pump" these logs to a file on another machine. Effectively making the server where rsyslog lives as a centralized location for clients to send log messages to, but allowing me to send the logs to a network drive or a machine with a considerably larger storage capability.

Is this possible to do? I know rsyslog has a lot of modules that you can plug in, but I don't see any that allow you to override /var/log in favor of a remote file location. Any ideas?

hotmeatballsoup
  • 143
  • 7

1 Answers1

3

For this purpose you can set a rsyslog server and rsyslog clients. Server

$ModLoad imudp
$UDPServerRun 514

To use TCP connection (which is slower but more reliable), search and uncomment the lines below.

$ModLoad imtcp
$InputTCPServerRun 514

Set template for remote logs:

$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?RemoteLogs 
& ~

restart syslog.

For clients:

*. *  @192.168.10.254:514

Configure where to send logs.

And do not forget to restart the rsyslog

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26
  • Thanks @Romeo (+1) -- when you say "_Configure where to send logs._" can you please explain how this is accomplished? Thanks again! – hotmeatballsoup Jul 18 '22 at 11:48
  • 1
    @hotmeatballsoup, this is client config. You define to which host and port to send logs. – Romeo Ninov Jul 18 '22 at 12:04
  • Thanks, I assume I would do this in the server's `/var/conf/syslog.ini` file? Something like `send.logs=:/some/path/to/logfile.log` maybe? – hotmeatballsoup Jul 18 '22 at 12:24
  • 1
    @hotmeatballsoup, for servers are first two lines. (port and template). You can check links for more detailed info. – Romeo Ninov Jul 18 '22 at 12:28
  • OK thanks again. I guess I don't fully understand the "flow" of syslog/rsyslog then. My _understanding_ is that the flow of log messages would go `clients --> server --> logfile`, no? If that's the case, and if I want the server to write logs to another machine, then I'm not understanding how something like "`UDPServerRun 514`" would send logs to, say, `:/some/path/to/logfile.log`. Am I missing something big here? Thanks again, I'm honestly not trying to be difficult, I'm just not seeing the "forest through the trees!" – hotmeatballsoup Jul 18 '22 at 12:32
  • 1
    @hotmeatballsoup, this define how the server will listen (`UDPServerRun 514`), `template` define how the files (on server) will be named – Romeo Ninov Jul 18 '22 at 12:44
  • Thank you! Two last followup questions, if you don't mind. **(1)** If I wanted to make a change to the `rsyslog` server config (change the value of the `%HOSTNAME%` its writing to, etc.), I have to restart it, correct? If so, what will happen to the log messages coming from clients while the server is restarting? Will they be lost? Is there a way to restart `rsyslog` with the new configuration such that log messages sent by clients are not lost during the restart? And **(2)** is it possible to configure `rsyslog` to route different log messages to different log files based on certain criteria? – hotmeatballsoup Jul 18 '22 at 12:55
  • 1
    @hotmeatballsoup, the idea of this site is: one question+answers. So please open new questions: https://serverfault.com/questions/ask – Romeo Ninov Jul 18 '22 at 12:57
  • 1
    Apologies @Romeo! For reference: https://serverfault.com/questions/1105896/configuring-rsyslog-not-to-drop-messages-while-restarting and https://serverfault.com/questions/1105897/configuring-rsyslog-to-route-messages-to-different-log-files-based-on-content – hotmeatballsoup Jul 18 '22 at 13:01