In my last article I had shared the steps to redirect specific log messages to a different log file using rsyslog and to secure your ssh service using fail2ban on Linux.
In this article I will share the steps to forward the system log to remote server using both TCP and UDP ports so you can choose but again you have to understand the transfer here is not secure. To secure the channel for the transfer you must configure rsylog using TLS certificates.
Below is my setup detail
Server: 10.43.138.14 -> The one which will send message
Client: 10.43.138.1 -> The one which will receive the message
Below rpm must be installed on the client setup to validate the incoming message
nmap-ncat
Using TCP
If you wish to transfer the system log files to remote server using tcp port then follow below list of steps
With older version of rsyslog below syntax was used in the /etc/rsyslog.conf
*.* @remote_server:port
NOTE: Use single "@" here above as highlighted for TCP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="tcp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
# systemctl restart rsyslog
On client side
Add the provided port to the firewall
# iptables -A INPUT -p tcp --dport 10514 -j ACCEPT
Next open the port using nc
# nc -l -p 10514 -4
On Server side I send some dummy message
# logger "testing message from 10.43.138.14"
On client side
<13>May 29 12:58:33 golinuxhub-client deepak: testing message from 10.43.138.14
You should also start getting all your log messages from the server on your client.
Using UDP
If you wish to transfer the system log files to remote server using udp port then follow below list of steps
With older version of rsyslog below syntax was used in the rsyslog.conf
*.* @@remote_server:port
NOTE: Use "@" twice here above as highlighted for UDP
But this sytanx is deprecated and should not be used.
Now we have new syntax available which gives us more number of options to be used.
On Server (10.43.138.14)
Add below content at the end of the file /etc/rsyslog.conf
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="udp")
NOTE: If there are additional rules which are added before this entry then the same will be applied before sending those messages to remote server so place this entry in your rsyslog.conf accordingly
You can tweak this to add some more arguments
*.* action(type="omfwd"
queue.type="LinkedList"
action.resumeRetryCount="-1"
queue.size="10000"
queue.saveonshutdown="on"
target="10.43.138.1" Port="10514" Protocol="udp")
queue.type enables a LinkedList in-memory queue, queue_type can be direct, linkedlist or fixedarray (which are in-memory queues), or disk.
enabled queue.saveonshutdown saves in-memory data if rsyslog shuts down,
the action.resumeRetryCount= “-1” setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
queue.size where size represents the specified size of disk queue part. The defined size limit is not restrictive, rsyslog always writes one complete queue entry, even if it violates the size limit.
Save and restart the rsyslog service
# systemctl restart rsyslog
On Client
Enable or uncomment these two entires for the client to be able to receive the messages
# vim /etc/rsyslog.conf
$ModLoad imudp
$UDPServerRun 514
Followed by a restart of rsyslog service
# systemctl restart rsyslog
Next add the provided port to the firewall
# iptables -A INPUT -p udp --dport 10514 -j ACCEPT
And start listening to the port we are using (since this is a UDP port hence I have used -u)
# nc -l -p 10514 -4 -u
Now we are all set so lets send a message using logger from our server node
# logger "Testing rsyslog message using udp port"
Same appears on our client side
<13>May 29 14:37:32 Ban17-be002-2b deepak: Testing rsyslog message using udp port
I hope the article was useful.