Skip to content

Instantly share code, notes, and snippets.

@laidback

laidback/rsyslog_fwd.md

Created February 22, 2018 13:45
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save laidback/b64d9e60ef29eb033bb8a4ab1390e6eb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save laidback/b64d9e60ef29eb033bb8a4ab1390e6eb to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rsyslog_fwd.md

Forwarding Rsyslog

We want to forward messages using an intermediate rsync forwarder/broker. We do not want the broker to save any messages from the clients and we also want to forward the broker messages to the Rsyslog Sink.

Useful Links

Config Topics

On the client

...
# forwarding tcp
*.* @@<hostname/ip>:<port>

# forwarding udp
*.* @<hostname/ip>:<port>
# End of rsyslog.conf

On the broker

# /etc/rsyslog.d/forwardTCP.conf
$ModLoad imtcp

# Forward all incoming tcp logging to remote
# It is important to stop the RuleSet to prevent local logging
$RuleSet remoteTCP
*.* @@10.16.205.18:8443
& stop

# Bind the ruleset and activate
$InputTCPServerBindRuleset remoteTCP
$InputTCPServerRun 5140

# /etc/rsyslog.d/forwardLocal.conf
# No stopping needed, because we want normal message logging to happen
*.info;mail.none;authpriv.none;cron.none @@10.16.205.18:8443

On the sink

Put files in subdirectories for each host based on a pattern

# /etc/rsyslog.d/endpoint.conf
$ModLoad imtcp

$RuleSet remote
*.* /var/log/super.log
& stop

$InputTCPServerBindRuleset remote
$InputTCPServerRun 8443
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment