Rsyslog

This section explains how you can configure 'rsyslog' like a log shipper.

In order for rsyslog component to send the log details to the event gateway, users have to configure two elements.

1. Event Gateway Endpoint

2. Systems rsyslog configuration on Linux environments

Step 1:

An example Event Gateway Endpoint configuration is captured in the below configuration snippet.

// Gateway Endpoint:
endpoints:
- name: syslog_tcp_events
  enabled: true
  type: syslog_tcp
  port: 514
  attrs:
    site_code: cfx_dc1
    archive_name: network_syslogs
  stream: syslog-tcp-stream-01

An example Linux Service configuration is captured in the below configuration snippet.

Step 2: Uncomment below lines in /etc/rsyslog.conf using your favorite editor (e.g. vi )

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
#Target="remote_host" Port="XXX" Protocol="tcp")
*.* @@<event-gateway>:514          # Use @@ for TCP protocol

Step 3: Enable the required firewall-ports (514 in this case for tcp/udp) using respective commands (An example of CentOS/RHEL based commands are captured below snippet).

bash# sudo firewall-cmd --add-port=514/tcp --permanent 
bash# sudo firewall-cmd --add-port=514/udp --permanent 
bash# sudo firewall-cmd --reload 

Step 4: Restart the rsyslog service (An example of CentOS/RHEL based commands are captured below snippet).

bash# sudo systemctl restart rsyslog

Note: In order to run the above commands, the user is expected to have 'sudo' privileges or run the command as a root to enable the required ports.