After looking around for many howto on using rsyslog to capture log entries from a client to a central logger, I wanted to document my simple configuration for myself. What follows is a simple step list of two computers (AppServer and a LogServer) both running Ubuntu and logging to MySQL database. My reason for logging to MySQL is for later running of LogAnalyzer.
The Setup of the rsyslog server
First install rsyslog and get it logging to your local MySQL database for verification of rules being handled correctly. For Ubuntu 10.10 you can use the following command to get your packages installed:
Disable your stock syslogd from your /etc/rc.* directories. Incase the MySQL tables are not installed you can building them from:
Editing the rsyslog.conf file
To get rsyslog up and running most of our edits are in the rsyslog.conf file. Grant some access on the database called Syslog and keep the details for later steps. Enable the output module in your rsyslog.conf file:
Restart rsyslog, do something that will generate a log (I usually go with using ssh to the local host and typing in a bad password). Go back to your MySQL database and check the log entries are being shown in your table.
Login to MySQL:
Then run your sql statement to find the records:
Setting up a remote client for logging to the rsyslog server
Repeat the same steps for the server and make sure that rsyslog is working correctly. Create a directory for rsyslog to use when the rsyslog server is unavailable (I choose /var/spool/rsyslog-work). Then add the following to your rsyslog.conf file:
Restart the rsyslog service. Test that you can reach the rsyslog server on port 514 by using telnet (or some other method you prefer). You should be good to go!
In case you run into troubles, I have had some good information provided back to me by launching rsyslogd with the debugging command:
This has helped find out problems when trying to see where any problems are in regards to rsyslogd. Just recently, I noticed a problem where rsyslogd could not establish a port. After using some google queries I found out that sometimes there is a problem with rsyslogd using dropping down to a user from the root account. I disabled the feature to drop down to a user account and the debug print out showed that rsyslogd established the port.