Rsyslog
Configuration of log shipper 'rsyslog'.
This section explains how you can configure 'rsyslog' like a log shipper.
In order for rsyslog component to send the log details to the event gateway, users have to configure two elements.
Event Gateway Endpoint
Systems rsyslog configuration on Linux environments
Step 1:
An example Event Gateway Endpoint configuration is captured in the below configuration snippet.
// Gateway Endpoint:
endpoints:
- name: syslog_tcp_events
enabled: true
type: syslog_tcp
port: 514
attrs:
site_code: cfx_dc1
archive_name: network_syslogs
stream: syslog-tcp-stream-01
An example Linux Service configuration is captured in the below configuration snippet.
Step 2: Uncomment below lines in /etc/rsyslog.conf using your favorite editor (e.g. vi )
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#Target="remote_host" Port="XXX" Protocol="tcp")
*.* @@<event-gateway>:514 # Use @@ for TCP protocol
Step 3: Enable the required firewall-ports (514 in this case for tcp/udp) using respective commands (An example of CentOS/RHEL based commands are captured below snippet).
bash# sudo firewall-cmd --add-port=514/tcp --permanent
bash# sudo firewall-cmd --add-port=514/udp --permanent
bash# sudo firewall-cmd --reload
Step 4: Restart the rsyslog service (An example of CentOS/RHEL based commands are captured below snippet).
bash# sudo systemctl restart rsyslog
Note: In order to run the above commands, the user is expected to have 'sudo' privileges or run the command as a root to enable the required ports.
Last updated