Product SiteDocumentation Site

18.5. Configuring rsyslog on a Logging Server

The rsyslog service provides facilities both for running a logging server and for configuring individual systems to send their log files to the logging server. See Example 18.12, “Reliable Forwarding of Log Messages to a Server” for information on client rsyslog configuration.
The rsyslog service must be installed on the system that you intend to use as a logging server and all systems that will be configured to send logs to it. Rsyslog is installed by default in Fedora 24. If required, to ensure that it is, enter the following command as root:
~]# dnf install rsyslog
The steps in this procedure must be followed on the system that you intend to use as your logging server. All steps in this procedure must be made as the root user:
  1. Configure the firewall to allow rsyslog TCP traffic.
    1. The default port for rsyslog TCP traffic is 514. To allow TCP traffic on this port, enter a command as follows:
      ~]# firewall-cmd --zone=zone --add-port=514/tcp
      Where zone is the zone of the interface to use.
  2. Open the /etc/rsyslog.conf file in a text editor and proceed as follows:
    1. Add these lines below the modules section but above the Provides UDP syslog reception section:
      # Define templates before the rules that use them
      ### Per-Host Templates for Remote Systems ###
      $template TmplAuthpriv, "/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
      $template TmplMsg, "/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
    2. Replace the default Provides TCP syslog reception section with the following:
      # Provides TCP syslog reception
      $ModLoad imtcp
      # Adding this ruleset to process remote messages
      $RuleSet remote1
      authpriv.*   ?TmplAuthpriv
      *.info;mail.none;authpriv.none;cron.none   ?TmplMsg
      $RuleSet RSYSLOG_DefaultRuleset   #End the rule set by switching back to the default rule set
      $InputTCPServerBindRuleset remote1  #Define a new input and bind it to the "remote1" rule set
      $InputTCPServerRun 514
    Save the changes to the /etc/rsyslog.conf file.
  3. The rsyslog service must be running on both the logging server and the systems attempting to log to it.
    1. Use the systemctl command to start the rsyslog service.
      ~]# systemctl start rsyslog
    2. To ensure the rsyslog service starts automatically in future, enter the following command as root:
      ~]# systemctl enable rsyslog
Your log server is now configured to receive and store log files from the other systems in your environment.

18.5.1. Using The New Template Syntax on a Logging Server

Rsyslog 7 has a number of different templates styles. The string template most closely resembles the legacy format. Reproducing the templates from the example above using the string format would look as follows:
template(name="TmplAuthpriv" type="string"

template(name="TmplMsg" type="string"
These templates can also be written in the list format as follows:
template(name="TmplAuthpriv" type="list") {
    property(name="programname" SecurePath="replace")
template(name="TmplMsg" type="list") {
    property(name="programname" SecurePath="replace")
This template text format might be easier to read for those new to rsyslog and therefore can be easier to adapt as requirements change.
To complete the change to the new syntax, we need to reproduce the module load command, add a rule set, and then bind the rule set to the protocol, port, and ruleset:

     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none action(type="omfile" DynaFile="TmplMsg")

input(type="imtcp" port="514" ruleset="remote1")