2017-10-16 03:33 PM
More of a question to get different views on syslog relay configurations so I will start with what works with my lab. I use a rsyslog config on a CentOS 7 server as a central place to send syslog to and then send a copy of the logs to multiple logging environment on different versions so that the same active logs are in all environments.
Helps with testing and development for my uses.
Here is the rsyslog configuration on CentOS 7 box with the format to keep the original sender IP in a friendly way that the decoder service will capture it as the source and not the relay server (thanks to wRAlmdLu8uOnkbiouAPmB5mqnlFr6baANOTo7eT0Oa4= for the format string).
stored in a new file in /etc/rsyslog.d/
@ sends udp
@@ sends tcp
# start a UDP listener for the remote router
$PreserveFQDN on
$ModLoad imudp # load UDP server plugin
#$AllowedSender UDP, 192.0.2.1 # permit only the router
$UDPServerRun 514 # listen on default syslog UDP port 514
$EscapeControlCharactersOnReceive off
#this is needed for snare, but doesn’t hurt anything by being there
$template NWLDfmt,"[][][%FROMHOST-IP%][%timestamp:::date-unixtimestamp%][] %rawmsg%\n"
*.* @192.168.x.y:514;NWLDfmt
*.* @192.168.x.z:514;NWLDfmt
Anyone else have useful rsyslog or syslog-ng configurations that are used as relays that can be shared with the community?
2017-10-16 03:37 PM
If using rsyslog post ver 8.17 you should be using the template:
$template NWLDfmt,"[][][%FROMHOST-IP%][%timestamp:::date-unixtimestamp%][] %rawmsg-after-pri%\n"