Recently, while running maintenance, I discovered that network devices (such as switches) have a feature to send logs remotely, i.e. they can send logs to a specified server via the syslog udp protocol. To do this, you can run rsyslog on the server and collect the logs.
The default rsyslog configuration collects the system local configuration, so we need to write an rsyslog configuration for collecting remote logs.
/etc/rsyslog-remote.conf, and then make the following changes.
- Comment out the module loads associated with
imtcpso that it listens on the appropriate ports
$WorkDirectory /var/spool/rsyslog-remote, to prevent conflicts with existing rsyslog
- comment out
$IncludeConfigto prevent the introduction of unnecessary configuration
- Comment out all existing configurations under
- Add the following configuration.
This will sort by the source IP address and write them all to the
Finally, write a systemd service so that it starts automatically.
This enables the collection of remote logs.
To prevent too much logging, you also need to configure logrotate.
/etc/logrotate.d/rsyslog-remote, then change the beginning to
/var/log/rsyslog-remote/*.log, the path corresponds to the above.