4

I have an application which writes its own log file in /var/log/app/app.log. How can I forward these logs to a remote Rsyslog server?

Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
user2284355
  • 455
  • 2
  • 10
  • 24

4 Answers4

3

You can do this with the imfile module.

On the sending server's rsyslog config;

$ModLoad imfile
$InputFileName /var/log/app/app.log
$InputFileTag tag_app_log:
$InputFileStateFile app_log1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor

# Send over TCP
local7.*                                @@remoteserver
# Send over UDP
local7.*                                @remoteserver

On the receiving server's rsyslog config;

$template YourApp, "/path/to/yourlogs/app/app.log"
local7.*                                -?YourApp
Aaron Copley
  • 12,525
  • 5
  • 47
  • 68
  • You've not made any reference on how to actually forward the logs over TCP or UDP. Don't use TCP with imfile and rsyslog, however. I've seen some very dodgy behavior if the remote end goes away (for whatever reason). – Tom O'Connor Jul 10 '13 at 15:15
  • You're right. I rushed to get this answered on my way out yesterday. I'll edit to include that bit. I included both methods, since any issue with rsyslog/tcp/and imfile should be submitted as a bug report. It's not unsupported so there should be an expectation for it to work. Additionally, you may want to configure local queuing and RELP for guaranteed delivery. (Outside the scope of the question.) – Aaron Copley Jul 10 '13 at 15:36
  • Thank you very much for your help. This has gotten me halfway. For some reason logs from app.log are not being sent (tcpdump reports no traffic) but daemon specific traffic is. I opened another question on security stack-exchange with the specific application and where I am at the moment: http://security.stackexchange.com/questions/38709/how-to-make-honeyd-save-logs-in-rsyslog. Could you lend me a hand? Cheers – user2284355 Jul 10 '13 at 16:57
  • 1
    The daemon messages are probably covered by the `*.*` rule on the sender. You need to focus on the configuration above. What version of rsyslog and on what distribution? This is generic for Red Hat 6, rsyslog 5.8.x which is what I have notes for in front of me. – Aaron Copley Jul 10 '13 at 17:13
  • I have tried both TCP and UDP none of them seem to relay any messages apart from the specific daemon logs. Currently I have the rsyslog server listening on UDP and have local7.* @remoteserver on my client. TCP dump is being checked on the sending server. – user2284355 Jul 10 '13 at 17:16
  • Sending server is:Linux 3.2.0-48-generic #74-Ubuntu x86_64 x86_64 x86_64 GNU/Linux - Ubuntu Precise.rsyslogd 5.8.6 ---- Receiving server is: Linux 2.6.32-5-amd64 x86_64 GNU/Linux Debian based.rsyslogd 4.6.4 – user2284355 Jul 10 '13 at 17:19
  • 1
    Using: logger -t honeyd "my little pony" correctly logs the string "my little pony" into /var/log/honeyd.log on my receiving server. – user2284355 Jul 10 '13 at 17:39
  • I just recreated the logic above with /var/log/test and echoed $(date) to the file. It showed up on the receiver. Either the daemon is maintaining some sort of lock on the file that is preventing rsyslog from polling, or there's an inconsistency in the configuration syntax between releases. You may need to refer to distribution specific docs. – Aaron Copley Jul 10 '13 at 17:43
  • Having done this very recently, some things to check: Make sure the modules are properly loaded for sending/receiving TCP/UDP, make sure your rsyslog server is listening on the port it's supposed to, make sure there's an established connection to that port from your client. Preferably, you'd use RELP, although contrarily to what Tom is saying, the documentation tends to suggest TCP instead of UDP if you have to pick between those two. – gparent Jul 10 '13 at 20:52
  • Thank you all very much for your help. The proposed syntax was perfect. Reinstalling rsyslog (apt-get install --reinstall rsyslog) did the trick for me. – user2284355 Jul 11 '13 at 11:51
1

You can use syslog-ng to forward the logs.

source s_all {
internal();
unix-stream("/dev/log");
file("/path/to/your/file" follow_freq(1) flags(no-parse));
};
destination d_remotelogger {
udp("192.168.254.254" port(5514));
};
log {
source(s_all); destination(d_remotelogger);
};
Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
Ramesh Kumar
  • 1,770
  • 5
  • 19
  • 29
0

If the log does not support [r]syslog, create an nfs export on the remote server to hold the log, and moun the export on your app server at /var/log/app .

Daniel Widrick
  • 3,488
  • 2
  • 13
  • 27
0

You can use filelogger which does not require you install and configure rsyslog or other syslog software on your localhost.

Michael Martinez
  • 2,645
  • 3
  • 24
  • 35