Configure Rsyslog to use RELP for remote logging. #rsyslog #relp #logging

README-rsyslog-with-relp.md

README - Logging to Rsyslog with RELP

For more on the protocol: https://www.rsyslog.com/doc/master/configuration/modules/imrelp.html

Prerequisites

For client/server to communicate over RELP protocol (over TCP), both should have the corresponding library present:

apt-get install rsyslog-relp

Configure server

The server (i.e the centralized collector of logs of other systems) must be configured to accept RELP connections over a TCP socket.

Edit /etc/rsyslog.conf to enable RELP input module. For example, to listen on address 10.0.4.140 port 2514:

module(load="imrelp")
input(type="imrelp" address="10.0.4.140" port="2514" maxDataSize="10k" keepAlive="on")

Edit /etc/rsyslog.d/50-default.conf (or create another file inside /etc/rsyslog.d) to log received records somewhere locally:

$template customFormat,"%timegenerated:::date-rfc3339% <%pri-text%> %HOSTNAME% %syslogtag% %msg%\n"

local7.*			-/var/log/local7.log;customFormat

Configure client

The client must be configured to send log records to the RELP server.

Edit /etc/rsyslog.conf to enable RELP output module. It may be helpful to also enable mark module so that a heartbeat message is sent periodically to the server.

module(load="omrelp") # provides support for sending RELP messages (over TCP)
module(load="immark" interval="180")  # provides --MARK-- message capability

Edit your actions inside /etc/rsyslog.d/50-default.conf (or somewhere inside /etc/rsyslog.d) to configure messages of some facility to be sent the RELP server (say that an appropriate entry for rsyslog-server exists inside /etc/hosts):

# Send all messages of `local7` facility both to a local file and to a RELP server 
local7.*                        -/var/log/local7.log
local7.*                        :omrelp:rsyslog-server:2514

If mark messages (module immark) are enabled, then you probably want these messages (are logged under syslog.info facility) to also be sent to the server:

local7.*,syslog.*                        :omrelp:rsyslog-server:2514

Test

Log a message to your client, eg:

logger -p local7.info -t hello-world -s 'Hello World - 1'

The above message should show up under /var/log/local7.log at both server's and client's machine.

A note on formatting templates

Each rsyslog instance (either client or server) will use only it's locally configured templates to write log messages to its files. A formatting template present on the client has no effect on the transmitted record which is completely unaware of it (it s just a message with certain fields described in RELP protocol).

Usually, we care about formatting on the server (the collector) where messages actually are written to files. Use something like the following:

# Define a new template. For available placeholders (called properties here), see:
# https://www.rsyslog.com/doc/v8-stable/configuration/properties.html
$template customFormat,"%timegenerated:::date-rfc3339% <%pri-text%> %HOSTNAME% %syslogtag% %msg%\n"

For some predefined templates see:

https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names

Hello, doesn't work...

Hi! Adjust the settings on the Configure server:
input(type="imrelp" port="2514" maxDataSize="10k")
https://www.rsyslog.com/doc/master/configuration/modules/imrelp.html

Hi! Adjust the settings on the Configure server:
input(type="imrelp" port="2514" maxDataSize="10k")
https://www.rsyslog.com/doc/master/configuration/modules/imrelp.html

Thank you so much!