Rsyslog Notes

To install Rsyslog (if it is not already installed), you would use your package manager. Eg. yum install rsyslog OR dnf install rsyslog (Must have sudouser access).

To enable reception of either UDP or TCP syslog messages, you must uncomment (Removing the # symbols) of the rsyslog server. An example below is a syslog server with both UDP and TCP enabled.

To check if rsyslog is listening, use Netstat, optionally with the -tupan options (-t & -u displays TCP and UDP connections, -p shows protocol statistics, -a displays active connections and open sockets, and -n always show IP addresses), and grep for port 514 (rsyslog's port)

To configure an rsyslog client (the client must have rsyslog installed), create a .conf file in /etc/rsyslog.d/ and write user.notice @xxx.xxx.xxx.xxx (Where xxx.xxx.xxx.xxx is your rsyslog server). Note that @ is for UDP, and @@ is for TCP. The term "user" determines the syslog facility and notice determines the priority of the message.

You can use the logger command to send a message. Example being logger -t (the -t flag tags the message with the next string you write, eg. test) = logger -t test "XYZ"

Logging authorization

Within the remote-syslog client config file, adding authpriv.* @xxx.xxx.xxx.xxx (the specified remote-syslog server IP) will send all logs relating to logins (failed logins for example) to the remote syslog server.

*