Setting up a Central Syslog Server to listen on both TCP and UDP ports

This document (000020554) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise 15 SP2
SUSE Linux Enterprise 15 SP3

Situation

Would like to setup a Central Syslog Server to listen on both TCP and UDP ports 514.

Referenced: 
https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-tuning-syslog.html#sec-tuning-syslog-server
https://documentation.suse.com/sles/15-SP3/single-html/SLES-tuning/#sec-tuning-syslog-server

 was using the legacy syntax and the was not working for SLES 15 SP2 and SP3.
Example of legacy syntax for editing the /etc/rsyslog.d/remote.conf file.

TCP Example:
$ModLoad imtcp.so
$UDPServerAddress IP
$InputTCPServerRun PORT

UDP Example
$ModLoad imudp.so
$UDPServerAddress IP
$UDPServerRun PORT
 

Resolution

Step 1 Use the modern syntax:
Entries in  /etc/rsyslog.d/remote.conf
  #TCP Example:
  module(load="imtcp") # needs to be done just once 
  input(type="imtcp" port="514" address="192.168.86.232")

  #UDP Example:
  module(load="imudp") # needs to be done just once 
  input(type="imudp" port="514" address="192.168.86.232")

Step 2 Update they rsyslog.service to start after the network
Copy /usr/lib/systemd/system/rsyslog.service to /etc/systemd/system/

In the unit section of /etc/systemd/system/rsyslog.service add these two lines:
Wants=network.target network-online.target
After=network.target network-online.target

Note: Starting rsyslog a little later should not cause a loss of log messages as long as there is no log message flood that might overflow the kernels log ring buffer. Even if there is a log message flood before rsyslog starts, the kernel log ring buffer can be increased.


 

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020554
  • Creation Date: 21-Jan-2022
  • Modified Date:21-Jan-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center