Forwarding Log Entries Received on one Central Syslog Server to Another

This document (000020865) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server 15 SP3
SUSE Linux Enterprise Server 12 All Releases

Situation

A primary Central Syslog Server (logsrv1) receives remote system log messages and stores them on /var/log/HOSTS. The remote syslog messages now need to be forwarded to a secondary Central Syslog Server (logsrv2).

logclient 192.168.0.123
logsrv1 192.168.0.125
logsrv2 192.168.0.124

It would take a lot of time and resources to reconfigure all the clients to send their logs to logsrv2 instead of logsrv1.

Attempting to redirect remote messages to logsrv2 from logsrv1 using *.* @192.168.0.124 in /etc/rsyslog.d/remote.conf on logsrv1 only forwards local logsrv1 message to logsrv2 and no remote syslog messages are sent to logserv2.

Resolution

Option 1
The simplest solution may be to decommission logsrv1 and update the DNS entry to point to logsrv2 or change the IP address of logsrv2 so it will receive the logsrv1 network traffic.

Option 2
However, in order to forward remote log messages in this case, do the following:

1. Change the primary Central Syslog Server (logsrv1) /etc/rsyslog.d/remote.conf from this:

SLES 12 /etc/rsyslog.d/remote.conf

logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
$ModLoad imtcp.so         # load module
$InputTCPServerRun 514 # Starts a TCP server on selected port
$ModLoad imudp.so         # provides UDP syslog reception
$UDPServerRun 514         # start a UDP syslog server at standard port 514
$template RemoteStore, "/var/log/HOSTS/%timegenerated:::date-year%-%timegenerated:::date-month%/%HOSTNAME%/%HOSTNAME%-%SYSLOGFACILITY-TEXT%-%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day%-%timegenerated:::date-hour%"
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfile" dynaFile="RemoteStore")
        stop
}

SLES 15 /etc/rsyslog.d/remote.conf
If using the newer rsyslog syntax.

logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
module(load="imtcp")
input(type="imtcp" port="514")
module(load="imudp")
input(type="imudp" port="514")
template(name="RemoteStore" type="string"
  string="/var/log/HOSTS/%timegenerated:::date-year%-%timegenerated:::date-month%/%HOSTNAME%/%HOSTNAME%-%SYSLOGFACILITY-TEXT%-%timegenerated:::date-year%-%timegenerated:::date-month%-%timegenerated:::date-day%-%timegenerated:::date-hour%\n"
        )
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfile" dynaFile="RemoteStore")
        stop
}

to this:

SLES 12 /etc/rsyslog.d/remote.conf

logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
$ModLoad imtcp.so         # load module
$InputTCPServerRun 514 # Starts a TCP server on selected port
$ModLoad imudp.so         # provides UDP syslog reception
$UDPServerRun 514         # start a UDP syslog server at standard port 514
:source, isequal, "last"  stop
if $fromhost-ip != '127.0.0.1' then {
action(type="omfwd" Target="192.168.0.124" Port="514")
        stop
}

SLES 15 /etc/rsyslog.d/remote.conf
If using the newer rsyslog syntax.

logsrv1:~ # cat /etc/rsyslog.d/remote.conf 
module(load="imtcp") # needs to be done just once 
input(type="imtcp" port="514")
module(load="imudp") # needs to be done just once 
input(type="imudp" port="514")
if $fromhost-ip != '127.0.0.1' then {
action(type="omfwd" Target="192.168.0.124" Port="514")
        stop
}

2. Run systemctl restart rsyslog.service

Additional Information

The action needed to change from logging to a local file (type="omfile") to forwarding (type="omfwd").

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.