Author : Rainer Gerhards

CentOS 5: how to compile rsyslog from git

If you compile rsyslog from git on CentOS 5 you run into the trouble that

autoreconf -fvi

fails, telling you that autotools 2.59 provided by CentOS is too old.

The solution to this problem is to install version 2.61 of autotools. You will probably not want to overwrite the default CentOS package, so you should install it in some alternate location (e.g. /opt) and include that location in the topmost spot of your path. all this can be done as follows:

wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.61.tar.bz2
tar xjf autoconf-2.61.tar.bz2
cd autoconf-2.61
./configure --prefix=/opt
make
sudo make install

Then, you need to change your path, for example as follows (this is obviously a temporary alteration!):

export PATH=/opt/bin:$PATH

After these changes, you should be able to run autoreconf for rsyslog.

Sending Messages to a Remote Syslog Server

In this recipe, we forward messages from one system to another one. Typical use cases are:

  • the local system does not store any messages (e.g. has not sufficient space to do so)
  • there is a (e.g. legal) requirement to consolidate all logs on a single system
  • the server may run some advanced alerting rules, and needs to have a full picture or network activity to work well
  • you want to get the logs to a different system in a different security domain (to prevent attackers from hiding their tracks)
  • and many more …

In our case, we forward all messages to the remote system. Note that by applying different filters, you may only forward select entries to the remote system. Also note that you can include as many forwarding actions as you like. For example, if you need to have a backup central server, you can simply forward to both of them, using two different forwarding actions.

To learn how to configure the remote server, see recipe Receiving Messages from a Remote System.

Config Statements

# this is the simplest forwarding action:
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
# it is equivalent to the following obsolete legacy format line:
*.* @@192.0.2.1:10514 # do NOT use this any longer!
# Note: if the remote system is unreachable, processing will
# block here and discard messages after a while

# so a better use is
*.*  action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp"
            action.resumeRetryCount="100"
            queue.type="linkedList" queue.size="10000")
# this will de-couple the sending from the other logging actions,
# and prevent delays when the remote system is not reachable. Also,
# it will try to connect 100 times before it discards messages as
# undeliverable.
# the rest below is more or less a plain vanilla rsyslog.conf as 
# many distros ship it - it's more for your reference...
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none      /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                    /var/log/secure
# Log all the mail messages in one place.
mail.*                                        /var/log/maillog
# Log cron stuff
cron.*                                        /var/log/cron
# Everybody gets emergency messages
*.emerg                                       :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                /var/log/spooler
# Save boot messages also to boot.log
local7.*                                      /var/log/boot.log

Things to think about

You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This recipe uses TCP for that reason.

TCP forwarding is a build-in capability and always present. As such, no plugin needs to be loaded. The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time. DNS resolution typically fails on the DNS server itself during system startup.

In this example, we forward to port 10514. We could as well remove the port=”…” parameter from the configuration, which would result in the default port being used. However, you need to specify the port address on the server in any case. So it is strongly advised to use an explicit port number to make sure that client and server configuration match each other (if they used different ports, the message transfer would not work.

bug fixed in listener

There was a bug in the BEEP listeners which made them ignore the listen port set by srAPISetOption. The BEEP listeners always listen to 601, no matter what was set. This has today been fixed. The fix is currently available via anonymous CVS from sourceforge, only. Check there if you need this functionality.

LibLogging is alive!

You may wonder… no news during the past month. Is LibLogging abandoned? Well, it looks like it is … but that’s not the truth. Of course, development on LibLogging has stopped, a fact caused by the simple matter of lack of interest in the library. However, there is growing interest since spring of this year and that interest will soon spawn some new development in LibLogging. There is a co-project, called rsyslog which implements a reliable syslog server, soon together with LibLogging. This project will hopefully create some additional awareness for RFC 3195 like logging. So, don’t panic, LibLogging is still very vital alive, it was just resting a little bit. I expect some more updates coming within the next 3 month (there are already some new features in the CVS version).

Scroll to top