5

Is there a way to chain syslog forwarding? For example, how can a clienthost forward its syslogs to ServerA and ServerA forward everything to CentralSyslogServer?

I'm using rsyslog.

The reason is that Server A is a dual homed machine which gets logs from other hosts which should all be stored in CentralSyslogServer. Currently CentralSyslogServer seems to only be getting ServerA's local logs but nothing that was forwarded to ServerA from the clienthost.

Resolved:

I had to edit /etc/sysconfig/syslog and add -h to the SYSLOGD_OPTIONS

My mistake - serverA is using syslogd

garg
  • 635
  • 1
  • 7
  • 17

3 Answers3

1

Yes you can:

In clienthost's rsyslog.conf:

*.* @@ServerA:514

In ServerA's rsyslog.conf:

*.* @@CentralSyslogServer:514

Of course, this is some really basic usage. Read the manual or online how-tos to get more advanced usage. Here's a little how-to about reliable forwarding with rsyslog.

To tell your servers to receive logs:

$ModLoad imtcp
$InputTCPServerRun 514
skinp
  • 749
  • 1
  • 7
  • 19
  • I've placed that rule in syslog.conf so it sends all facilities and levels to centralsyslogserver but it doesn't show up in centralsyslogserver strangely. – garg Aug 24 '11 at 16:06
  • Well, as I said in my answer, this is really basic usage and you definitly need some more configuration. At the very least, you also need to tell your servers to receive logs. Updated my answer for this... – skinp Aug 24 '11 at 16:14
1

I think you need this manual: http://www.rsyslog.com/storing-and-forwarding-remote-messages/

Sander Steffann
  • 7,712
  • 19
  • 29
0

It depends on the volume of syslogs you're getting but something like the free version of Splunk is just great at that kind of thing, not 100% sure it'll fit your requirement but thought I'd let you know anyway.

Chopper3
  • 101,299
  • 9
  • 108
  • 239