Sending Linux system logs to a remote server

Sending Linux system log (syslogd) events to a remote server.

1. Open a command window.
2. Switch to the root user. Run the su - command.
3. Activate remote system logging. Run the rsyslogclient -s 1.2.3.4 command, replacing 1.2.3.4 with the remote system address:
   note: This configuration script defaults to send logs to the TCP server on port 514. To see other options rsyslogclient -h.
4. If the remote system is only addressed by IPv6, configure the remote system as a Static Address Map entry as described in IPv6 / Static Address Map and use the IPv4 address on the rsyslogclient command line.
5. If the remote system communicates through the VPN, enter the address as defined on the VPN.
6. If a Linux rsyslog server is not configured, add the following lines to the receiving system /etc/rsyslog.conf:

   $ModLoad imtcp
   $InputTCPServerRun 514
   $template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
   *.* ?FILENAME

   The following command can be executed as root on the system intended to receive the logs files:

   grep -iE '^\$.*...ServerRun' /etc/rsyslog.conf || echo -e '$ModLoad imtcp\n$InputTCPServerRun 514\n$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"\n*.* ?FILENAME' >> /etc/rsyslog.conf

   note: If a port other than 514 is used for remote syslog, a corresponding modification to the firewall rule configuration is required. The firewall is configured by default to allow only certain outbound destination ports.

   The file to modify is /usr/share/gehc_security/pnf/modality.sh. It contains instructions and standard iptables commands. Specific to syslog, modify the following lines in that file.

   # Below for remote syslog
   $IPTABLES -A OUTPUT -p udp -m udp --dport 514 -j ACCEPT
   $IPTABLES -A OUTPUT -p tcp -m tcp --dport 514 -j ACCEPT