Syslog messages not being received at central server

Posted on

Syslog messages not being received at central server – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, logging, centos7, syslog, rsyslog.

I have a central Syslog server (Windows Server 2012 R2) running Kiwi Syslog server that isn’t receiving logs from a client (Centos 7).

The client’s rsyslog.conf configuration looks like this:

*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# ### begin forwarding rule ###
# Remote Logging (we use TCP for reliable delivery)
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional
*.*  @@cloudDC:514

Where cloudDC is the name of the logging server.

I have verified:

  • logs are being printed to /var/log/messages
  • TCP and UDP 514 are open on server
  • Server can display logs from localhost
  • Client and server can reach each other

I’m stumped. Any ideas?

Solution :

Start by running tcpdump on both boxes and see if a session is actually started and go from there.

Leave a Reply

Your email address will not be published.