Forwarding Rsyslog Logs to Central Server

If you would like to forward your logs to a central syslog server, add something like this to the bottom of rsyslog.conf:

$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRuleall # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@192.168.52.42:514

Create a /var/spool/rsyslog directory if it doesn’t exist, and make sure that the account that rsyslog is using can write to the directory. This will forward all logs to TCP 514 on 192.168.52.42. Test by shutting down the destination. If you look where the logs are queued up, you’ll see this:

root:/var/spool/rsyslog# ls
fwdRuleall.00000001  fwdRuleall.qi
root:/var/spool/rsyslog#