addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwchatcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgoogleimageimagesinstagramlinklocation-pinmagnifying-glassmailminusmoremuplabelShape 3 + Rectangle 1outlookpersonplusprice-ribbonImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruseryahoo

Verge Message Board › Happen to have any experience forwarding logs to a remote server from rsyslo

Happen to have any experience forwarding logs to a remote server from rsyslogd on Ubuntu 10.04 LTS?

Jameson F
user 20032251
Bloomington, IN
Post #: 4
Happen to have any experience forwarding logs to a remote server from rsyslogd on Ubuntu 10.04 LTS?

I'm attempting to forward logs from an Ubuntu 10.04 LTS server running rsyslogd to a Windows Server 2008 R2 server running GFI EventsManager 2012 (12.0.0).

I've included the following line in /etc/rsyslog.d/50-default.conf (at the beginning) on the Ubuntu server:

*.* @@<IPAddressOfWindowsServer>:514

Prior to that I also tried including the following in /etc/rsyslog.conf (at the end):

$WorkDirectory /var/spool/rsyslog/work # default location for work (spool) files

$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionQueueMaxDiskSpace 1g # limit queue size to 1 GB
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @@<IPAddressOfWindowsServer>:514

I restarted rsyslogd after each configuration change using the following command:

sudo service rsyslog reload

The Ubuntu server's firewall is enabled, but it is allowing outbound traffic by default. GFI EventsManager's built-in syslog server is configured to accept logs on TCP port 514. An event source has been configured in GFI using the hostname of the Ubuntu server. Windows Firewall is allowing traffic to TCP port 514 from the Ubuntu server. Firewall logging is enabled on the Windows server, and logging both dropped packets and successful connections. Local logging on the Ubuntu server is functioning normally, but rsyslogd doesn't seem to be sending logs to EventsManager. The Windows Firewall log does not show any connection attempts from the Ubuntu server. And, obviously, EventsManager isn't receiving or processing any logs from the Ubuntu server. I've read everything I can find regarding forwarding logs using rsyslogd including the links below. Everything appears to be configured correctly, but it's not working.

Any ideas? Any help would be greatly appreciated.
Brad F.
bfritz
Indianapolis, IN
Post #: 2
The 50-default.conf forwarding line looks fine. I use an almost identical setup to forward to logstash.

Other things to check:

  • Are you getting local log output? Something like logger -t foo bar; tail /var/log/messages might be helpful to check.
  • If so, are you seeing any network traffic on port 514? E.g. with tcpdump -n -i eth0 port 514
  • If neither of those help, I would run rsyslogd in the foreground with debugging enabled and check its output. Stop the service, verify it stopped with ps aux | grep rsyslog or similar and then run something like rsyslogd -x -d. The default options, like -x in my example are likely in /etc/default/rsyslog.


Hope that helps get you back on track.

--Brad
Michael S.
michaelslate
Indianapolis, IN
Post #: 1
You might also try using splunk as the logging server. I've switched my centralized logging to splunk as its free for up to 500mb of logs a day. Couldn't be happier with the ease of setup and the search ability of the logs is unbelievable.
Powered by mvnForum

Our Sponsors

  • Innovatemap

    Innovatemap helps you dream, design, and deliver outstanding software.

  • Angie's List

    One of Indiana's largest and most innovative tech companies

  • Taft

    Innovative attorneys who create value and help you reach your goals.

  • Eleven Fifty Coding Academy

    Learn to code, Become and instructor, Get your app built

  • Salesforce Marketing Cloud

    The only platform to build and manage customer journeys.

  • Smarter HQ

    The easiest/most complete/most advanced personalized marketing platform

  • PERQ

    Measured marketing technology & incentive-based promotions

  • BLASTmedia

    BLASTmedia is a B2B PR firm for both online and traditional media.

  • Relevance

    PUBLICATION. AGENCY. EVENTS.™ Advancing the field of digital marketing.

  • DeveloperTown

    Design + development + invest firm with a better way to launch products.

  • Studio Science

    Design and innovation consultancy.

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy