Forwarding Syslogs to External Servers
What is syslog?
Syslog is a standard for collecting, routing, and storing log messages. This protocol allows sending logs to a central store. Syslogs are used by system admins to debug issues that occur in the system or application and also for monitoring purposes.
Syslog Deamon
The syslog daemon is a server process that facilitates message logging for applications and system processes. The type of Syslog deamon can be vary depending on your operating system.
example Syslog Daemons:
- RSyslog
- Syslogd
- Syslog-ng
To know your syslog deamon, just check for the filename in /etc
directory.
In RHL ,
ls /etc/*syslog*
If the above command doesn’t return anything you can simply install a Syslog daemon.
In RHL,
sudo yum install rsyslog
Forwarding Syslogs
Syslogs have the capability of routing logs through a network. This has made the ability of forwarding logs to external logging servers/tools like papertrail, SolarWinds Kiwi Syslog Server, Datadog, Dynatrace etc. This gives system admins a broader view of the systems that they are managing.
How to Forward Syslogs (Red Hat Enterprise Linux)
In built, Syslog communicates via UDP 514 and 601. You can simply forward your syslogs by adding a rule to rsyslog.conf
vi /etc/rsyslog.conf
imfile
is a file input module that allows you to convert any standard text file into a Syslog message.
Following are the definitions for each directive
InputFileName : Name of the input log file. This path should be an absolute path.
InputFileTag : This is the tag to be used for messages that originate from this file
InputFileStateFile : Rsyslog must keep track of which parts of the to be monitored file it already processed. This is done in the state file. This file always is created in the rsyslog working directory
InputFileSeverity : The syslog severity to be assigned to lines read
InputFileFacility : The syslog facility to be assigned to lines read
The above rule saves the given log file to a given facility in syslog. After that, you can send all data from the given facility to your remote server.
[FACILITY].* @@hostname:<portnumber>
Now you should be able to catch your particular syslog data from the remote server.