To setup remote logging to a central Syslog server, you need to add the following line:
*.* @loghost.foobar.com:514
This will set up remote logging using UDP. Note the single @ sign. To set up TCP, use double @@ signs:
*.* @@loghost.foobar.com:514
*.* stands for facility.severity. Asterisks will pick up all facilities and severities so that means that all entries will be sent to the remote server. :514 port portion is optional. Syslog will use default port 514 but you may change that on the server. If you're not seeing any messages on the central log host get delivered, verify that ports are open on your firewalls and check if you're getting any packets on the Syslog host using tcpdump:
sudo /usr/sbin/tcpdump -v dst port 514
Syslog service will open an initial connection using TCP and continue the session while sending packets with log entries. Since TCP is connection-oriented (each packet is acknowledged) unlike UDP, every packet will be aknowledged. UDP also lacks congestion control (useful when syslog client spams a ton of messages), may corrupt messages if there are issues on the line, and may deliver messages out of sequence. Some of these cases are rare, but they may still happen. It's recommended to use TCP whenever possible. If you know that your network equipment is reliable (i.e. no broadcast storms, etc) and you need every ounce of CPU processing power out of your systems, then UDP should be good enough.
Comments
comments powered by Disqus