Forwarding Log Entries Received on one Central Syslog Server to Another

This document (000020865) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 12 All Releases
 

Situation

A primary Central Syslog Server (logsrv1) receives remote system log messages and stores them on /var/log/HOSTS. The remote syslog messages now need to be forwarded to a secondary Central Syslog Server (logsrv2).

logclient  192.168.0.123
logsrv1    192.168.0.125
logsrv2    192.168.0.124

It would take a lot of time and resources to reconfigure all the clients to send their logs to logsrv2 instead of logsrv1.

Attempting to redirect remote messages to logsrv2 from logsrv1 using *.* @192.168.0.124 in /etc/rsyslog.d/remote.conf on logsrv1 only forwards local logsrv1 message to logsrv2 and no remote syslog messages are sent to logserv2
 

Resolution

Option 1
The simplest solution may be to decommission logsrv1 and update the DNS entry to point to logsrv2 or change the IP address of logsrv2 so it will receive the logsrv1 network traffic. 

Option 2
However, in order to forward remote log messages in this case, do the following:

1. Change the primary Central Syslog Server (logsrv1) /etc/rsyslog.d/remote.conf from this:

SLES 12 /etc/rsyslog.d/remote.conf
logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
$ModLoad imtcp.so         # load module
$InputTCPServerRun 514 # Starts a TCP server on selected port
$ModLoad imudp.so         # provides UDP syslog reception
$UDPServerRun 514         # start a UDP syslog server at standard port 514
$template RemoteStore, "/var/log/HOSTS/%timegenerated:::date-year%-%timegenerated:::date-month%/%HOSTNAME%/%HOSTNAME%-%SYSLOGFACILITY-TEXT%-%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day%-%timegenerated:::date-hour%"
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfile" dynaFile="RemoteStore")
        stop
}
SLES 15 /etc/rsyslog.d/remote.conf
If using the newer rsyslog syntax.
logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imudp")
input(type="imudp" port="514")
template(name="RemoteStore" type="string"
  string="/var/log/HOSTS/%timegenerated:::date-year%-%timegenerated:::date-month%/%HOSTNAME%/%HOSTNAME%-%SYSLOGFACILITY-TEXT%-%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day%-%timegenerated:::date-hour%\n"
        )
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfile" dynaFile="RemoteStore")
        stop
}

to this:

SLES 12 /etc/rsyslog.d/remote.conf
logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
$ModLoad imtcp.so         # load module
$InputTCPServerRun 514 # Starts a TCP server on selected port
$ModLoad imudp.so         # provides UDP syslog reception
$UDPServerRun 514         # start a UDP syslog server at standard port 514
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfwd" Target="192.168.0.124" Port="514")
        stop
}
SLES 15 /etc/rsyslog.d/remote.conf
If using the newer rsyslog syntax.
logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
module(load="imtcp") # needs to be done just once 
input(type="imtcp" port="514")
module(load="imudp") # needs to be done just once 
input(type="imudp" port="514")
if $fromhost-ip != '127.0.0.1' then {
action(type="omfwd" Target="192.168.0.124" Port="514")
        stop
}

2. Run systemctl restart rsyslog.service
 

Additional Information

The action needed to change from logging to a local file (type="omfile") to forwarding (type="omfwd").

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020865
  • Creation Date: 17-Nov-2022
  • Modified Date:16-Dec-2022
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center