MonitorWare Knowledge Base

I read the document , and want to verify that if I have a centralize rsyslog server running; it cannot forward what it received to another syslog server?

if not, any suggestions?

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

I read the document , and want to verify that if I have a centralize rsyslog server running; it cannot forward what it received to another syslog server?

To what document you are referring? Forwarding messages to another syslog server should not be a problem.

Code: Select all

*.* @finlandia

This rule would redirect all messages to a remote host called finlandia. This is useful especially in a cluster of machines where all syslog messages will be stored on only one machine.


For more details, please see http://www.rsyslog.com/Documentation-/r ... html.phtml

Hope this helps.

Michael

hmm actually that's what I was referring to and wanted clarification on it. so if I have my hosts sending logs to one rsyslog server, can I forward from that rsyslog server to another syslog hosts?

I include a line like yours but I don't see any traffic going out to the destination host on a tcpdump

Remote Machine

Rsyslogd provides full remote logging, i.e. is able to send messages to a remote host running rsyslogd(8) and to receive messages from remote hosts. The remote host won't forward the message again, it will just log them locally. To forward messages to another host, prepend the hostname with the at sign (``@'').

Using this feature you're able to control all syslog messages on one host, if all other machines will log remotely to that. This tears down
administration needs.

Please note that this version of rsyslogd by default does NOT forward messages it has received from the network to another host. Specify the
-h option to enable this.[/i]

dada wrote:hmm actually that's what I was referring to and wanted clarification on it. so if I have my hosts sending logs to one rsyslog server, can I forward from that rsyslog server to another syslog hosts?

Of course, this should be possible. Do you have start rsyslogd with the -r 0 -h flags?

In your rsyslogd start script remove the comment in front of SYSLOGD="-r 0 -h":

# Options for start/restart the daemons
# For remote UDP logging use SYSLOGD="-r 0"
# For relaying add "-h" to SYSLOGD
#
SYSLOGD="-r 0 -h"

If it still not works, I suggest to test rsyslog interactively with debug feature. Run rsyslog with the following options:
-r -d -n -h

Please post the debug output.

Michael

I ran interactively with the -h option and it's working now

dumb question how is relaying different from remote UDP logging?

Probably the documentation is a little bit vague. In short, I think, you can say

-r is to allow incoming message from a remote host
-h is to allow to forward message to a remote host

Michael

do you foresee any problems if I'm forwarding via tcp 514 to a another syslog server other than rsyslog; and say traffic stops or it can't reach the remote syslog.

Will rsyslog just bypass that line of the config to forward?

I'm just worry for any thing that may halt how the filters will be processed

Just a quick question. The other syslog server listening on TCP 514?

Michael

yes, it will be listening on tcp 514 since the other syslog is in a different subnet with a fiewall in between. of course I would make a policy to allow tcp 514 in

I've just seen that this question is still unanswered. To use tcp, the other syslogd must be capable of doing that. Most do not support it. In any case, rsyslogd is compliant to existing RFCs and common behaviour, so there is no problem in forwarding to any other syslogd. It works well for both TCP and UDP connections.

Rainer