Rsyslog to Direct Log Messages to Local Syslog Host on Port 5000 Using Tcp

Better Stack Team
Updated on November 18, 2024

To configure rsyslog to direct log messages to a local syslog host on port 5000 using TCP, you will need to modify the rsyslog configuration files. Here’s a step-by-step guide to set this up:

1. Configure the Local Syslog Host

If the local syslog host is also using rsyslog, you need to ensure that it is set up to listen on port 5000 for incoming TCP connections.

1.1 Edit the Syslog Configuration

Open the rsyslog configuration file for editing. This is typically located at /etc/rsyslog.conf or a file within /etc/rsyslog.d/.

 
sudo nano /etc/rsyslog.conf

1.2 Add Configuration to Listen on Port 5000

Add or modify the following lines to configure rsyslog to listen on TCP port 5000:

 
# Load the TCP input module
module(load="imtcp")

# Define the TCP listener
input(type="imtcp" port="5000")

1.3 Restart rsyslog

After modifying the configuration, restart rsyslog to apply the changes:

 
sudo systemctl restart rsyslog

2. Configure the Sending Syslog Client

On the system where rsyslog is sending logs, configure it to forward messages to the local syslog host on port 5000.

2.1 Edit the Configuration File

Open the rsyslog configuration file for editing on the sending system. This might be /etc/rsyslog.conf or a file in /etc/rsyslog.d/.

 
sudo nano /etc/rsyslog.conf

2.2 Add the Configuration to Forward Logs

Add the following lines to forward log messages to the local syslog host on port 5000 using TCP:

 
# Forward all log messages to the local syslog host on port 5000 using TCP
*.* @@localhost:5000

In this configuration:

  • .* specifies that all log messages should be forwarded.
  • @@ indicates that TCP should be used (a single @ would indicate UDP).
  • localhost:5000 is the address and port of the local syslog host.

2.3 Restart rsyslog

Restart rsyslog on the sending system to apply the changes:

 
sudo systemctl restart rsyslog

3. Verify the Configuration

To ensure that the configuration is working correctly:

3.1 Check the Logs on the Receiving System

Verify that the local syslog host is receiving logs on port 5000:

 
sudo tail -f /var/log/syslog

You should see logs from the sending system appearing in the local log file.

3.2 Test Log Forwarding

Generate some test log messages on the sending system and check if they appear on the receiving system:

 
logger "Test message for syslog forwarding"

4. Troubleshooting

If logs are not being forwarded as expected:

  • Check Firewalls: Ensure that port 5000 is open on any firewalls between the sending and receiving systems.
  • Verify Configuration: Double-check the rsyslog configuration files for syntax errors.

  • Check Service Status: Ensure rsyslog is running on both systems:

     
    sudo systemctl status rsyslog

  • Review Logs: Look for errors in the rsyslog logs for more details on issues:

     
    sudo tail -f /var/log/syslog

Summary

To direct log messages to a local syslog host on port 5000 using TCP:

  1. On the Local Syslog Host: Configure rsyslog to listen on port 5000 for TCP connections.
  2. On the Sending Syslog Client: Configure rsyslog to forward messages to the local syslog host on port 5000 using TCP.
  3. Verify and Troubleshoot: Check the logs to ensure that messages are being forwarded and received correctly.
Got an article suggestion? Let us know
Explore more
Rsyslog
Licensed under CC-BY-NC-SA

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.