For more on the protocol: https://www.rsyslog.com/doc/master/configuration/modules/imrelp.html
For client/server to communicate over RELP protocol (over TCP), both should have the corresponding library present:
apt-get install rsyslog-relp
The server (i.e the centralized collector of logs of other systems) must be configured to accept RELP connections over a TCP socket.
Edit /etc/rsyslog.conf
to enable RELP input module. For example, to listen on address 10.0.4.140
port 2514:
module(load="imrelp")
input(type="imrelp" address="10.0.4.140" port="2514" maxDataSize="10k" keepAlive="on")
Edit /etc/rsyslog.d/50-default.conf
(or create another file inside /etc/rsyslog.d
) to log received records somewhere locally:
$template customFormat,"%timegenerated:::date-rfc3339% <%pri-text%> %HOSTNAME% %syslogtag% %msg%\n"
local7.* -/var/log/local7.log;customFormat
The client must be configured to send log records to the RELP server.
Edit /etc/rsyslog.conf
to enable RELP output module. It may be helpful to also enable mark module so that a heartbeat message is sent periodically to the server.
module(load="omrelp") # provides support for sending RELP messages (over TCP)
module(load="immark" interval="180") # provides --MARK-- message capability
Edit your actions inside /etc/rsyslog.d/50-default.conf
(or somewhere inside /etc/rsyslog.d
) to configure messages of some facility to be sent the RELP server (say that an appropriate entry for rsyslog-server
exists inside /etc/hosts
):
# Send all messages of `local7` facility both to a local file and to a RELP server
local7.* -/var/log/local7.log
local7.* :omrelp:rsyslog-server:2514
If mark messages (module immark
) are enabled, then you probably want these messages (are logged under syslog.info
facility) to also be sent to the server:
local7.*,syslog.* :omrelp:rsyslog-server:2514
Log a message to your client, eg:
logger -p local7.info -t hello-world -s 'Hello World - 1'
The above message should show up under /var/log/local7.log
at both server's and client's machine.
Each rsyslog instance (either client or server) will use only it's locally configured templates to write log messages to its files. A formatting template present on the client has no effect on the transmitted record which is completely unaware of it (it s just a message with certain fields described in RELP protocol).
Usually, we care about formatting on the server (the collector) where messages actually are written to files. Use something like the following:
# Define a new template. For available placeholders (called properties here), see:
# https://www.rsyslog.com/doc/v8-stable/configuration/properties.html
$template customFormat,"%timegenerated:::date-rfc3339% <%pri-text%> %HOSTNAME% %syslogtag% %msg%\n"
For some predefined templates see:
https://www.rsyslog.com/doc/v8-stable/configuration/templates.html#reserved-template-names
Thank you so much!