File: 06-remote-server.rst

package info (click to toggle)
rsyslog 8.2512.0-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 30,464 kB
  • sloc: ansic: 123,809; sh: 42,109; makefile: 5,962; javascript: 1,842; python: 1,222; lex: 607; yacc: 193; perl: 162; sql: 103; tcl: 9; ruby: 2
file content (165 lines) | stat: -rw-r--r-- 4,300 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
 
.. _tut-06-remote-server:

Your First Remote Log Server
############################

.. meta::
   :audience: beginner
   :tier: entry
   :keywords: rsyslog remote server, imudp, log receiver, central logging

.. summary-start

Set up rsyslog to **receive logs from another machine** over UDP.
Use a **dedicated ruleset** so only remote messages go into ``/var/log/remote.log``.

.. summary-end

Goal
====

Create a basic **remote log receiver**.
You will configure rsyslog to listen on UDP/514 and process incoming messages
with a separate ruleset, ensuring local logs remain unaffected.

.. important::

   This tutorial requires **two systems** (or two containers/VMs).
   One acts as the **server** (receiver), the other as the **client** (sender).
   Without a second machine, forwarding may appear “stuck” because rsyslog retries.

Steps
=====

1) Configure the server (receiver)
----------------------------------

On the receiving system, create ``/etc/rsyslog.d/10-receiver.conf``:

.. code-block:: rsyslog

   # Load UDP input
   module(load="imudp")

   # A ruleset just for messages received via this UDP listener
   ruleset(name="rs-from-udp") {
       action(type="omfile" file="/var/log/remote.log")
       # This ruleset is used only for the UDP input below.
       # Local system logs continue to use the default distro config.
   }

   # Assign the UDP input to the ruleset above
   input(type="imudp" port="514" ruleset="rs-from-udp")

Restart rsyslog:

.. code-block:: bash

   sudo systemctl restart rsyslog
   systemctl status rsyslog --no-pager

2) Configure the client (sender)
--------------------------------

On the sending system, create ``/etc/rsyslog.d/10-forward.conf``:

.. code-block:: rsyslog

   # Forward all messages via UDP to the server
   action(
       type="omfwd"
       target="server.example.com"   # replace with server hostname or IP
       port="514"
       protocol="udp"
   )

Restart rsyslog on the client:

.. code-block:: bash

   sudo systemctl restart rsyslog

3) Test the setup
-----------------

From the **client**, send a test message:

.. code-block:: bash

   logger -t tut06 "hello from the client"

On the **server**, check the remote log file:

.. code-block:: bash

   sudo tail -n 20 /var/log/remote.log

You should see the test message.
Only messages from the client appear here, because the UDP input uses its own ruleset.

If it’s not working…
=====================

1. **No messages arrive**

   - Verify the server is listening on UDP/514:

     .. code-block:: bash

        sudo ss -ulpn | grep ':514'

   - Check firewall rules (``ufw`` or ``firewalld``) to allow UDP/514.
   - Ensure the client’s ``target=`` hostname/IP is correct (try an IP to rule out DNS).

2. **Messages appear only on the client**

   - Test network reachability:

     .. code-block:: bash

        ping server.example.com

   - If ICMP/ping is blocked, check with traceroute or review firewall/NAT.

3. **Permission denied on /var/log/remote.log**

   - Ensure rsyslog has permission to write under ``/var/log/``.
   - For testing, root-owned files in ``/var/log/`` are fine.

4. **Service won’t start**

   - Validate configuration on both systems:

     .. code-block:: bash

        sudo rsyslogd -N1

Verification checkpoint
=======================

By the end of this tutorial you should be able to:

- Restart rsyslog cleanly on both client and server.
- Send a message with ``logger`` on the client.
- See the message arrive in ``/var/log/remote.log`` on the server, without local logs mixed in.

See also / Next steps
=====================

- :doc:`04-message-pipeline` – how inputs, rulesets, and actions fit together.
- :doc:`../forwarding_logs` – more on forwarding (UDP vs TCP) and queues.
- Reference: :doc:`../../configuration/modules/imudp`
- Reference: :doc:`../../configuration/modules/omfwd`

----

.. note::

   Forwarding requires a **reachable** server. Without a valid target (and without
   an action queue), rsyslog may retry and appear “stuck” for a while.

.. tip::

   🎬 *Video idea (3–4 min):* show two terminals (client/server), run ``logger``
   on the client, and tail ``/var/log/remote.log`` on the server. Then point
   out the dedicated ruleset in the config that keeps local logs separate.