remote syslog via rsyslogs relp module

This is a config for rsyslogd with RELP

I am setting up rsyslog to send all of its logs to a remote log collection server where I will store them on disk.

Later I will talk about how I have used logstash to pull in these files once on the system.

I won’t bother posting the default lines almost all rsyslog config files will have.

I setup some basic udp collectors for legacy devices

$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514

Then load the relp module to provide more reliable tcp logging. I am going to have mine communicate on tcp port 1088

$ModLoad imrelp
$InputRELPServerRun 1088

The other two custom options I have set are for preserving fqdn because I need the full name to differentiate devices in different cities.

$PreserveFQDN on

I also tun off the message reduction to allow the systems I plan to implements better count messages.

$RepeatedMsgReduction off

Now on the client side all I have to do is include the relp module again and forward all messages via *.*

$ModLoad omrelp
*.* :omrelp:remotesyslog.example.org:1088;RSYSLOG_ForwardFormat

I am also using the RSYSLOG_ForwardFormat to preserve the severity and priority when the message is sent.

Sunhee - May 2, 2012 at 5:31 am
I think we both did the same sort of thing after looking at Graylog2, but I ended up with a Python-based liesentr service injecting logs into a Postgres database.I've been wanting to work more with solr for some time now. Will review what you have and will see where I can expand it. Thanks for the post!tom