SRE – Systems/Network

Send its logs to one server using rsyslog mechanisms (with ssl support)

Rysslog is allowing to send its logs from a file on a server to a remote server (or online service) that will collect and maintain all logs.

Assumed server configuration

We will here assume that you have a rsyslog server already running and listening on port 514 (TCP or UDP depending on your needs).
This server is reachable and will be available through this URL (used later in configuration): rsyslog.mycompany.com

Packages Installation

First of all, you have to install rsyslog packages rsyslog and rsyslog-gnutls (specific package for ssl support):

apt-get install rsyslog rsyslog-gnutls

Ensure also that you don’t have any firewall restrictions on your infrastructure that could restrict access from rsyslog.

Rsyslog configuration

So you can use SSL communication, you will first need to retrieve your server certificate. Let’s call it apimyrsyslog.crt
Put it under /etc/ssl/ folder and set its rights to 0644 so it can be read from anyone but not modified.

Once this done, edit a /etc/rsyslog.d/49-myrsyslog.conf file with such a configuration:

# Config for enabling file forwarding
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$WorkDirectory /var/spool/rsyslog

# Input log file
$InputFileName LOG_FILEPATH
$InputFileTag APP_NAME
$InputFileStateFile APP_NAME
$InputFileSeverity notice
$InputRunFileMonitor
# Template and TLS configuration
$template LogFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% - - - %msg%\n"
$DefaultNetstreamDriverCAFile /etc/ssl/apimyrsyslog.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name

Then, log action configuration is depending on rsyslog version:

  • If rsyslog version >=7.0
# Log action configuration
if $programname == 'APP_NAME' then {
    @@rsyslog.mycompany.com:514;LogFormat
    stop
}

The “@@” parameter means that you are using TCP. If you prefer UDP, replace with “@” (single).

  • Else if rsyslog version <7.0
# Log action configuration
if $programname == 'APP_NAME' then @@rsyslog.mycompany.com:514;LogFormat
& ~

Adapt it by changing those fields with correct values:

  • APP_NAME: unique name of log application (e.g. NGinx-Access)
  • LOG_FILEPATH: full path for log file (e.g. /var/log/nginx/access.log)

Rsyslog restart

Finally, you have to restart your rsyslog service so the logs can start to be sent.

service rsyslog restart

You should see within few minutes that a link has been established (you can check with netstat command), and the logs should start to be available on the server side (which is handling them depending on how you configured it, or if it’s an online service as they configured it).