In large server deployments using remote syslogd where syslog entries are written over UDP is quite helpful. This allows a central server to monitor a fleet of servers by receiving all log entries over the network. This is a standard linux feature set. FMADIO Packet Capture devices support this feature, as follows:
Copy the default syslogd.conf to /opt/fmadio/etc/
sudo cp /etc/syslogd.conf /opt/fmadio/etc/
Then edit the file as follows, replacing the destination IP with configuration specific to your environment
# rsyslog configuration file (fmadio default)
#### MODULES ####
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog") # provides kernel logging support (previously done by rklogd)
module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception
# for parameters see https://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")
# Provides TCP syslog reception
# for parameters see https://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
#### GLOBAL DIRECTIVES ####
template(name="facility_priority" type="list") {
property(name="syslogfacility-text")
constant(value=".")
property(name="syslogpriority-text")
}
set $!facility_priority = exec_template("facility_priority");
template(name="syslog_fmadio" type="list") {
property(name="timereported" dateFormat="year")
constant(value=".")
property(name="timereported" dateFormat="month")
constant(value=".")
property(name="timereported" dateFormat="day")
constant(value="-")
property(name="timereported" dateFormat="hour")
constant(value=":")
property(name="timereported" dateFormat="minute")
constant(value=":")
property(name="timereported" dateFormat="second")
constant(value=".")
property(name="timereported" dateFormat="subseconds")
constant(value=" ")
constant(value="(")
property(name="timereported" dateFormat="tzoffsdirection")
property(name="timereported" dateFormat="tzoffshour")
constant(value=":")
property(name="timereported" dateFormat="tzoffsmin")
constant(value=") | ")
property(name="hostname")
constant(value=" | ")
property(name="$!facility_priority" position.to="16" fixedwidth="on")
constant(value="| ")
property(name="programname" position.to="10" fixedwidth="on")
constant(value="|")
property(name="msg" spifno1stsp="on")
property(name="msg" droplastlf="on")
constant(value="\n")
}
# Use default timestamp format
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileDefaultTemplate syslog_fmadio
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
#$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.err /dev/console
# log everything to disk
*.* /mnt/store0/log/messages
# remote host is TCP: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@192.168.1.100:514
In the above example all syslog log entries are also written to a server at 192.168.1.100 over TCP on port 514.
For UDP on port 514 use the following setting
// remote host over UDP is name/ip;port
*.* @192.168.1.100:514
Its the standard syslogd from inted package additional customization can be done if required. Example syslog output as follows
