One of the problems I encountered in my job is to get syslog (udp/514) logs from a server that support only one syslog destination and resend these logs to two or more servers (log archiving, security appliance etc).
To do this I used rsyslog and Ubuntu Server (14.04 LTS) acting like a syslog relay.
In this scenario the remote appliance sends the log to the Ubuntu Server (listening on port udp/514) and the server store&forward the logs to one or more server/device.
All configurations where done on Ubuntu Server 14.04
Edit file /etc/rsyslog.conf and uncomment (if not already done) following lines so the server listen on udp port 514. If you need you can also listen on port tcp/514, just uncomment proper lines.
# provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception #$ModLoad imtcp #$InputTCPServerRun 514
You can restart the rsyslogd service and check if the service is listening
root@test-14:~# service rsyslog restart rsyslog stop/waiting rsyslog start/running, process 2126 root@test-14:~# netstat -tupnl | grep :514 udp 0 0 0.0.0.0:514 0.0.0.0:* 2126/rsyslogd udp6 0 0 :::514 :::* 2126/rsyslogd root@test-14:~#
Now create a new file /etc/rsyslog.d/90-store_forward.conf where we put the store&forward confguration
### Locally log received data # log every host in a its own dir $template RemoteHost,"/var/spool/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log" # log everything in a single file #$template RemoteHost,"/var/spool/rsyslog/received" ### Enable Remote Logging saving locally to the specified file $RuleSet remote *.* ?RemoteHost # Send messages we receive to host *.* @a.b.c.d:514 #UDP, just one @ *.* @e.f.g.h:514 #UDP #*.* @@j.k.l.m:514 #TCP, two @ ### Listeners (TCP/UDP) # bind ruleset to the udp listener $InputUDPServerBindRuleset remote # and activate it on port udp/514: $UDPServerRun 514 # bind ruleset to the tcp listener #$InputTCPServerBindRuleset remote # and activate it on port tcp/514: #$InputTCPServerRun 514
Again you have to restart your rsyslogd service and try to send logs to the Ubuntu Server and you will see on the destination host/appliance
root@test-14:~# service rsyslog restart rsyslog stop/waiting rsyslog start/running, process 3155 root@test-14:~#