During Incident Response, you might face scenarios where you need to collect logs from Ubuntu system to a central location. This article explains how to configure Ubuntu system to send logs & messages to a Remote Syslog Server
Edit /etc/rsyslog.conf to include following line before $IncludeConfig /etc/rsyslog.d/*.conf
line:
*.* action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
In this case Remote server with IP 192.168.0.1 will receive logs on port 514. 514 is default port, you can configure this as per your network configuration & requirements
Restart rsyslog service for configuration changes to take effect
$ sudo service rsyslog restart
If you are using another Ubuntu host as remote rsyslog server, then check the “/var/log” directory to see if client log directories have been created.
$ cd /var/log && ls -l
By default if the remote system is unreachable, processing will block here and discard messages after a while. However with above configuration line, it will be handled
- This will de-couple the sending from the other logging actions
- Prevent delays when the remote system is not reachable
- It will try to connect 100 times before it discards messages as undeliverable
Few things to note:
- You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This article uses TCP
- The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time
There is another legacy format too, however its obsolete, hence not recommended to use
*.* @@192.168.0.1:514