Using Rsyslog to ship the logs over TCP on CentOS.

4 min readMar 25, 2017

Introduction:

Rsyslog is the one open source tool for log processing. It offers high performance and security. Rsyslog consists following features,

Multi-threading
TCP, SSL, TLS, RELP
MySQL, PostgreSQL, Oracle and more
Filter any part of syslog message
Fully configurable output format
Suitable for enterprise-class relay chains
In this blog post, we will learn about how to use Rsyslog to ship logs over TCP.

Prerequisite:

Linux Hands on.

Step 1 | Install Rsyslog

Create rsyslog.repo:

$ sudo vi /etc/yum.repos.d/rsyslog.repo

Paste following content to /etc/yum.repos.d/rsyslog.repo

[rsyslog-v5-stable]
name=Adiscon Rsyslog v5-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v5-stable/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v6-beta]
name=Adiscon Rsyslog v6-beta for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v6-beta/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v6-stable]
name=Adiscon Rsyslog v6-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v6-stable/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v7-beta]
name=Adiscon Rsyslog v7-beta for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-beta/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v7-devel]
name=Adiscon Rsyslog v7-devel for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-devel/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v7-stable]
name=Adiscon Rsyslog v7-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
protect=1[rsyslog-v8-devel]
name=Adiscon Rsyslog v8-devel for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v8-devel/epel-$releasever/$basearch
enabled=0
gpgcheck=0
protect=1[rsyslog-v8-stable]
name=Adiscon Rsyslog v8-stable for CentOS-$releasever-$basearch
baseurl=http://rpms.adiscon.com/v8-stable/epel-$releasever/$basearch
enabled=1
gpgcheck=0
protect=1

Run yum update

$ sudo yum -y update

Install Rsyslog

$ yum -y install rsyslog

Step 2 | Rsyslog configuration to ship logs over TCP.

Rsyslog consist legacy syntax too. But I am not using legacy syntax for configuration.

Your default /etc/rsyslog.conf should consist ,

# rsyslog configuration file
# note that most of this config file uses old-style format,
# because it is well-known AND quite suitable for simple cases
# like we have with the default config. For more advanced 
# things, RainerScript configuration is suggested.# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html#### MODULES ####module(load="imfile" PollingInterval="10")
#module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
#module(load="imklog")   # provides kernel logging support (previously done by rklogd)
#module(load"immark")  # provides --MARK-- message capability# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ##### Use default timestamp format
#$template FileFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
#$template TraditionalFileFormat,"%TIMESTAMP% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n
#$ActionFileDefaultTemplate TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ##### Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure# Log all the mail messages in one place.
mail.*                                                  /var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 2g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down# Use standard RFC5424 log format for local logs
#$ActionFileDefaultTemplate RSYSLOG_SyslogProtocol23Format
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###

As I am using non-legacy syntax, you can configure Rsyslog at /etc/rsyslog.d
This directory should consist all condiguration files.
For Example we are having following logs ,

Jan 13, 2016 7:51:30 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://endpoints.example.com/}SearchServiceImplService#{http://endpoints.example.com/}search has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
    at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:286)
    at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:268)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
Jan 13, 2016 7:51:32 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://endpoints.example.com/}SearchServiceImplService#{http://endpoints.example.com/}search has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
    at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:286)
    at org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor.handleMessage(SoapOutInterceptor.java:268)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)

It is multiline log which is located at /var/log/apache.log. To ship this log I will be writing configuration /etc/rsyslog.d/logging.conf,

input(type="imfile"
      File="/var/log/apache.log"
      Tag="apache-log"
      startmsg.regex="^((Jan)|(Feb)|(Mar)|(Apr)|(May)|(Jun)|(Jul)|(Aug)|(Sep)|(Oct)|(Nov)|(Dec))[[:space:]]([0-9]|[0-9][0-9]),[[:space:]]([0-9][0-9][0-9][0-9])[[:space:]]([0-9]|[0-9][0-9]):([0-9]|[0-9][0-9]):([0-9]|[0-9][0-9])[[:space:]](AM|PM)"
)
template(name="ForwardFormat" type="list") {
    property(name="msg" spifno1stsp="on" )
    property(name="msg")
 }
if $programname == 'apache-log' then {
   action(
        type="omfwd"
        Target="10.112.34.12"
        Port="5001"
        Protocol="tcp"
        Template="ForwardFormat"
    )
    stop
}

If you are dealing with elasticsearch then you can use Elasticsearch plugin for shipping logs t
Here I divided configuration into three parts,
i. Input
ii. Template
iii. Action

i. Input: It consist type as imfile , the location of a file to tail, tag for the log and regex especially for distinguishing multiline logs.

ii. Template: Used to format the logs.

iii. Action: Where to send logs. Type of action is omfwd and we are forwarding logs to 5001 TCP port of host 10.112.34.12.

You need to make sure TCP port should be open and reachable for the host.
This is the simplest way to use Rsyslog to ship logs over TCP.