The order of the stanzas matter, and you need to bind your rule sets to your listeners:
http://www.rsyslog.com/storing-and-forwarding-remote-messages/ I have basically the same exact thing setup and it is working fine; here's my config.: # ######### Modules ######### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) # TCP Syslog Server: $ModLoad imtcp # Input plugin for the RELP protocol. $ModLoad imrelp # Output plugin for the RELP protocol. $ModLoad omrelp # UDP Syslog Server: $ModLoad imudp # ######### Global directives ######### # Display FQDN in logs $PreserveFQDN on # ######### Templates ########## $template RemoteHost,"/logs/rsyslog/%FROMHOST%/syslog.log" # ######### Rulesets ########## # Local Logging $RuleSet local # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log $DefaultRuleset local # Remote Logging $RuleSet remote *.* ?RemoteHost # ######### Listeners ########## # bind ruleset to tcp listener $InputTCPServerBindRuleset remote $InputTCPServerRun 514 # bind ruleset to RELP listener $InputRELPServerBindRuleset remote $InputRELPServerRun 2514 # bind ruleset to udp listener $InputUDPServerBindRuleset remote $UDPServerAddress * $UDPServerRun 514 On Wed, Oct 24, 2012 at 3:18 PM, John Inama <[email protected]> wrote: > I'm having a problem configuring a central logging server with rsyslog on > CentOS 6.3. It's set to accept incoming logs on UDP port 514 and TCP port > 10514. Right now I have all logs, including local server logs, going to the > same log file to confirm that my templates are working. SELinux is set to > Permissive and I have iptables set with incoming rules for both UDP port > 514 and TCP port 10514. > > I have two machines currently set to send logs to the central server. One > is a production server running CentOS 5.7 and using syslog (not rsyslog). > The other is my desktop running Ubuntu 12.04.1 using rsyslog. The server is > using UDP and my desktop is using TCP. > > Tcpdump shows that the logs are being sent from both machines to the > central server, but from there the logs aren't being processed by rsyslog. > I've tried everything I could find on the documentation with no success. > > If anyone can help with this, let me know. I can send any config files you > need. Here is my rsyslog.conf file from the server: > > #### MODULES #### > > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > $ModLoad imudp > $UDPServerAddress * > $UDPServerRun 514 > > $ModLoad imtcp > $InputTCPServerRun 10514 > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > # Templates > > $template TestFileLoc,"/logging/test/%$now%.log" > $template TestFileFormat,"%timestamp% %syslogfacility-text% > %syslogseverity-text% %msg% \n" > > #### RULES #### > > # test to dump everything to template location > > *.* ?TestFileLoc;TestFileFormat > > # Log all kernel messages to the console. > # Logging much else clutters up the screen. > #kern.* /dev/console > > # Log anything (except mail) of level info or higher. > # Don't log private authentication messages! > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > # The authpriv file has restricted access. > authpriv.* /var/log/secure > > # Log all the mail messages in one place. > mail.* -/var/log/maillog > > > # Log cron stuff > cron.* /var/log/cron > > # Everybody gets emergency messages > *.emerg * > > # Save news errors of level crit and higher in a special file. > uucp,news.crit /var/log/spooler > > # Save boot messages also to boot.log > local7.* /var/log/boot.log > > Thanks, > John > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. -- Augie Schwer - [email protected] - http://schwer.us _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
