rsyslog

Today I had to get the logs of a machine on another. The simple reason was that the first machine was crashing and its log file was not on persistent storage. This was what I did.

On the client machine, edit /etc/rsyslog.conf. Add an entry like the one shown below

*.* @10.0.0.2

*.* says that any message of any priority comes under this rule. 10.0.0.2 is the address of the server where the log daemon is running. (Note the @ sign). After making this change, I restarted rsyslog on the client.

On the server, again edit /etc/rsyslog.conf. Look for lines shown below

# Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp.so #$InputTCPServerRun 514

Uncomment (remove the #) the module and port number to allow receiving of log messages from the remote client. Restart the rsyslog here again. You will start receiving the messages from the client on your server.

How to test it?

The testing can be done very easily. Use logger on the client to log a message. For example, run,

logger "Test message from the client"

You will then see the message appear on the /var/log/messages of the server!