rsyslog
RSyslog not forwarding already collected logs.
I have configured RSyslog, which receives logs but cannot forward them to another server. The server the RSyslog is supposed to send the logs to does not have RSyslog enabled. It's just a normal Ubuntu server. The main aim of using the RSyslog is to Collect logs and send them over to another server. I'm using Ubuntu 22.04.4 LTS (Server). There communication on the server-to-server level
The RSyslog server IP: 192.168.1.10 Receiving logs server IP: 192.168.1.20
Below is the config file am using:
root@vrarsyslog:~# cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="1514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="1514")
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~
#Forward logs from specific directory#
/var/log/siemlogs/* @192.168.1.20:1514
/var/log/test_logs/* @192.168.1.20:1514
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
root@vrarsyslog:~#
If the remote server is not listening, it will not be able to receive messages. Please clarify and show remote server config.
oh, and this does not work in any case .
/var/log/siemlogs/* @192.168.1.20:1514
/var/log/test_logs/* @192.168.1.20:1514
You need to filter them according to the filter doc.
The remote server is just Ubuntu server I have installed and allow port 1514 on it, so i can telnet from the RSyslog server to the remote server via port 1514
Okay I have enable rsyslog on the remote server. Config file below:
root@exsc:~# cat /etc/rsyslog.conf
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="1514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="1514")
$PreserveFQDN on
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
I just want the RSyslog to send the logs to /var/log on the remote server.
This looks good, but I do not know if the received message are written by the server.
But you first need to fix the invalid filter. You cannot just give a file name. You can re-read the logs via imfile, but I strongly suggest to send them after they are received. I don't know from your posting what makes these message go to the specified files - the names seem not to match the template given.
Filtering doc: https://www.rsyslog.com/doc/configuration/filters.html
Could you please assist with a config file to fix the invalid filter?
you may want to use imfile
https://www.rsyslog.com/doc/configuration/modules/imfile.html
adopting the example from that docuemntation you probably can have some thing like
module(load="imfile")
input(type="imfile"
File="/var/log/siemlogs/*.log"
Tag="siemlogs")
input(type="imfile"
File="/var/log/test_logs/*.log"
Tag="test_logs")
if $inputname == 'imfile' and $tag == 'siemlogs' then @192.168.1.20:1514
if $inputname == 'imfile' and $tag == 'test_logs' then @192.168.1.20:1514
