This article explain how to connect rsyslog service to Apsolab-Server. You have two options to forward logs. You can forwards logs “as is” to Apsolab-Server and let them parse syslog data or have rsyslog parse the data and send it with Apsolab TAG protocol.

  1. Send raw syslog data to Apsolab-Server
  2. Send parsed data to Apsolab-Server

Send raw syslog data to Apsolab-Server

Configure Apsolab-Server to enable syslog parser. Connect to Apsolab-Console as ‘root’ (the admin.) and go to Administration/Settings and then to Services tab. At the bottom, there is a [syslog] section. You can configure one or many UDP ports. Yes, Apsolab-Server can listen for syslog data on many UDP ports. Each port will have its own logger name. This is useful to control log level (threshold) and conduct search query. The port syntax is: port[,port][,port]. Simply add comma between port numbers. Make sure your firewall and selinux are configured accordingly. You don’t have to restart Apsolab-Server but make sure to click on Apply Services.

Open rsyslog.conf file with some editor. Add the following line at end of the file:

*.* @127.0.0.1:10514

In this example, we forward logs to localhost on UDP port 10514. Change those values as appropriate.

To make your change effective, restart rsyslog service.

From this point, you should see a new logger in Apsolab-Console (syslog-10514). You can control log level from Logger window.

 

Send parsed data to Apsolab-Server

Rsyslog is able to format data with ‘template’ and send logs over TCP channel. We will user this feature to forward logs with Apsolab TAG protocol. Check your firewall and selinux. They must allow access to TCP port 5472 or any other port you may have set in the server configuration.

You can copy/paste the following lines into rsyslog.conf file and make the appropriate changes. This information is also available under /opt/apsolab/latest/script/rsyslog. If you copy from this page, make sure the template is contained on single line.

# Define Apsolab-Server Template. Note: replace localhost with host name in <loggername>.

$template xlogserver,"<xlog><loggertype>syslog</loggertype><category>system</category><loggername>rsyslog-localhost</loggername><threshold>info</threshold><rfc3339>%TIMESTAMP:::date-rfc3339%</rfc3339><syslogfacility>%syslogfacility%</syslogfacility><host>%HOSTNAME%</host><application>%APP-NAME%</application><pid>%PROCID%</pid><pri>%PRI%</pri><msg>%msg%</msg></xlog>\n"

# Connect with Apsolab-Server. Note: your host name and/or port number may be different.

*.* @@127.0.0.1:5472;xlogserver

IMPORTANT: The ‘loggername‘ must be unique within Apsolab-Server domain. So, it is recommended to use something like ‘rsyslog-hostname‘ as logger name. Change ‘hostname‘ for the real computer host name.

To make your change effective, restart rsyslog service.

 

Reference:

You can find template and forwarding examples in: http://www.rsyslog.com/doc/rsyslog_conf_examples.html