05 Mar

remote syslog via rsyslogs relp module

This is a config for rsyslogd with RELP

I am setting up rsyslog to send all of its logs to a remote log collection server where I will store them on disk.

Later I will talk about how I have used logstash to pull in these files once on the system.

I won’t bother posting the default lines almost all rsyslog config files will have.

I setup some basic udp collectors for legacy devices

$ModLoad imudp
$UDPServerAddress 0.0.0.0
$UDPServerRun 514

Then load the relp module to provide more reliable tcp logging.  I am going to have mine communicate on tcp port 1088

$ModLoad imrelp
$InputRELPServerRun 1088

The other two custom options I have set are for preserving fqdn because I need the full name to differentiate devices in different cities.

$PreserveFQDN on

I also tun off the message reduction to allow the systems I plan to implements better count messages.

$RepeatedMsgReduction off

Now on the client side all I have to do is include the relp module again and forward all messages via *.*

$ModLoad omrelp
*.* :omrelp:remotesyslog.example.org:1088;RSYSLOG_ForwardFormat

I am also using the RSYSLOG_ForwardFormat to preserve the severity and priority when the message is sent.