Background

Recently, while running maintenance, I discovered that network devices (such as switches) have a feature to send logs remotely, i.e. they can send logs to a specified server via the syslog udp protocol. To do this, you can run rsyslog on the server and collect the logs.

rsyslog configuration

The default rsyslog configuration collects the system local configuration, so we need to write an rsyslog configuration for collecting remote logs.

First copy /etc/rsyslog.conf to /etc/rsyslog-remote.conf, and then make the following changes.

  1. Comment out the module loads associated with imuxsock and imklog.
  2. uncomment imudp and imtcp so that it listens on the appropriate ports
  3. modify $WorkDirectory, e.g. $WorkDirectory /var/spool/rsyslog-remote, to prevent conflicts with existing rsyslog
  4. comment out $IncludeConfig to prevent the introduction of unnecessary configuration
  5. Comment out all existing configurations under RULES.
  6. Add the following configuration.
1
2

$template FromIp,"/var/log/rsyslog-remote/%FROMHOST-IP%.log"
*.* ?FromIp

This will sort by the source IP address and write them all to the /var/log/rsyslog-remote/x.x.x.x.log file.

systemd service

Finally, write a systemd service so that it starts automatically.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

[Unit]
ConditionPathExists=/etc/rsyslog-remote.conf
Description=Remote Syslog Service

[Service]
Type=simple
PIDFile=/var/run/rsyslogd-remote.pid
ExecStart=/usr/sbin/rsyslogd -n -f /etc/rsyslog-remote.conf -i /var/run/rsyslogd-remote.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
systemctl daemon-reload
systemctl enable --now rsyslog-remote

This enables the collection of remote logs.

logrotate settings

To prevent too much logging, you also need to configure logrotate.

Copy /etc/logrotate.d/rsyslog to /etc/logrotate.d/rsyslog-remote, then change the beginning to /var/log/rsyslog-remote/*.log, the path corresponds to the above.

Reference Documents