Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Configuring a remote logging solution

Ensure that logs from various machines in your environment are recorded centrally on a logging server. You can configure the Rsyslog application to forward logs that meet specific criteria from client systems to the server.

5.1. The Rsyslog logging service
Copy link

Understand the function of the Rsyslog logging service and how to define rules in the /etc/rsyslog.conf file. Rules classify messages by urgency and topic, determining the action Rsyslog performs.

The Rsyslog application, in combination with the systemd-journald service, provides local and remote logging support in Red Hat Enterprise Linux. The rsyslogd daemon continuously reads syslog messages received by the systemd-journald service from the Journal. rsyslogd then filters and processes these syslog events and records them to rsyslog log files or forwards them to other services according to its configuration.

The rsyslogd daemon also provides extended filtering, encryption-protected relaying of messages, input and output modules, and support for transport that uses the TCP and UDP protocols.

In /etc/rsyslog.conf, which is the main configuration file for rsyslog, you can specify the rules according to which rsyslogd handles the messages. Generally, you can classify messages by their source and topic (facility) and urgency (priority), and then assign an action that should be performed when a message fits these criteria.

In /etc/rsyslog.conf, you can also see a list of log files maintained by rsyslogd. Most log files are located in the /var/log/ directory. Some applications, such as httpd and samba, store their log files in a subdirectory within /var/log/.

For more information, see the rsyslogd(8) and rsyslog.conf(5) man pages on your system. You can also refer to the comprehensive documentation installed with the rsyslog-doc package in the /usr/share/doc/rsyslog/html/index.html file.

5.2. Installing Rsyslog documentation
Copy link

Install the rsyslog-doc documentation package locally. This provides quick, offline access to the extensive documentation for the Rsyslog application, complementing the online resources.

The Rsyslog application has extensive online documentation that is available at https://www.rsyslog.com/doc/, but you can also install the rsyslog-doc documentation package on your system.

Prerequisites

  • You have activated the AppStream repository on your system.
  • You are authorized to install new packages using sudo.

Procedure

  • Install the rsyslog-doc package: 

    # dnf install rsyslog-doc
    Copy to Clipboard Toggle word wrap

Verification

  • Open the /usr/share/doc/rsyslog/html/index.html file in a browser of your choice, for example: 

    $ firefox /usr/share/doc/rsyslog/html/index.html &
    Copy to Clipboard Toggle word wrap

Configure your Rsyslog server to receive remote logs through the reliable TCP protocol. This setup helps ensure high integrity when transferring logs from client systems over the network.

To use remote logging through TCP, configure both the server and the client. The server collects and analyzes the logs sent by one or more client systems.

With the Rsyslog application, you can maintain a centralized logging system where log messages are forwarded to a server over the network. To avoid message loss when the server is not available, you can configure an action queue for the forwarding action. This way, messages that failed to be sent are stored locally until the server is reachable again. Note that such queues cannot be configured for connections that use the UDP protocol.

The omfwd plugin provides forwarding over UDP or TCP. The default protocol is UDP. Because the plugin is built-in, it does not have to be loaded.

By default, rsyslog uses TCP on port 514.

Prerequisites

  • Rsyslog is installed on the server system.
  • You are logged in as root on the server.
  • The policycoreutils-python-utils package is installed for the optional step using the semanage command.
  • The firewalld service is running.

Procedure

  1. Optional: To use a different port for rsyslog traffic, add the syslogd_port_t SELinux type to port. For example, enable port 30514: 

    # semanage port -a -t syslogd_port_t -p tcp 30514
    Copy to Clipboard Toggle word wrap

  2. Optional: To use a different port for rsyslog traffic, configure firewalld to allow incoming rsyslog traffic on that port. For example, allow TCP traffic on port 30514: 

    # firewall-cmd --zone=<zone_name> --permanent --add-port=30514/tcp
success
# firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  3. Create a new file in the /etc/rsyslog.d/ directory named, for example, remotelog.conf, and insert the following content: 

    # Define templates before the rules that use them
# Per-Host templates for remote systems
template(name="TmplAuthpriv" type="list") {
    constant(value="/var/log/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

# Provides TCP syslog reception
module(load="imtcp")

# Adding this ruleset to process remote messages
ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none
action(type="omfile" DynaFile="TmplMsg")
}

input(type="imtcp" port="30514" ruleset="remote1")
    Copy to Clipboard Toggle word wrap
  4. Save the changes to the /etc/rsyslog.d/remotelog.conf file.

  5. Test the syntax of the /etc/rsyslog.conf file: 

    # rsyslogd -N 1
rsyslogd: version 8.1911.0-2.el8, config validation run...
rsyslogd: End of config validation run. Bye.
    Copy to Clipboard Toggle word wrap

  6. Make sure the rsyslog service is running and enabled on the logging server: 

    # systemctl status rsyslog
    Copy to Clipboard Toggle word wrap

  7. Restart the rsyslog service. 

    # systemctl restart rsyslog
    Copy to Clipboard Toggle word wrap

  8. Optional: If rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

    # systemctl enable rsyslog
    Copy to Clipboard Toggle word wrap

You can configure a system for forwarding log messages to a server over the TCP protocol. The omfwd plugin provides forwarding over UDP or TCP. The default protocol is UDP. Because the plugin is built in, you do not have to load it.

Prerequisites

  • The rsyslog package is installed on the client systems that should report to the server.
  • You have configured the server for remote logging.
  • The specified port is permitted in SELinux and open in firewall.
  • The system contains the policycoreutils-python-utils package, which provides the semanage command for adding a non-standard port to the SELinux configuration.

Procedure

  1. Create a new file in the /etc/rsyslog.d/ directory named, for example, 10-remotelog.conf, and insert the following content: 

    *.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="example_fwd"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="example.com" port="30514" protocol="tcp"
     )
    Copy to Clipboard Toggle word wrap

    Where:

    • The queue.type="linkedlist" setting enables a LinkedList in-memory queue,
    • The queue.filename setting defines a disk storage. The backup files are created with the example_fwd prefix in the working directory specified by the preceding global workDirectory directive.
    • The action.resumeRetryCount -1 setting prevents rsyslog from dropping messages when retrying to connect if server is not responding,
    • The queue.saveOnShutdown="on" setting saves in-memory data if rsyslog shuts down.

    • The last line forwards all received messages to the logging server. Port specification is optional.

      With this configuration, rsyslog sends messages to the server but keeps messages in memory if the remote server is not reachable. A file on disk is created only if rsyslog runs out of the configured memory queue space or needs to shut down, which benefits the system performance.

      Note

      Rsyslog processes configuration files /etc/rsyslog.d/ in the lexical order.

  2. Restart the rsyslog service. 

    # systemctl restart rsyslog
    Copy to Clipboard Toggle word wrap

Verification

To verify that the client system sends messages to the server:

  1. On the client system, send a test message: 

    # logger test
    Copy to Clipboard Toggle word wrap

  2. On the server system, view the /var/log/messages log, for example: 

    # cat /var/log/remote/msg/hostname/root.log
Feb 25 03:53:17 hostname root[6064]: test
    Copy to Clipboard Toggle word wrap

    Where hostname is the hostname of the client system. Note that the log contains the user name of the user that entered the logger command, in this case root.

5.5. Configuring TLS-encrypted remote logging
Copy link

Encrypt remote logging communication by using TLS to secure the data transfer. Configuring TLS on both the server and the client helps protect sensitive logs from network interception.

By default, Rsyslog sends remote logging messages in plain text. To use encrypted transport through TLS, configure both the server and the client. The server collects and analyzes the logs sent by one or more client systems.

You can use either the ossl network stream driver (OpenSSL) or the gtls stream driver (GnuTLS).

Note

If you have a separate system with higher security, for example, a system that is not connected to any network or has stricter authorizations, use the separate system as the certifying authority (CA).

You can customize your connection settings with stream drivers on the server side on the global, module, and input levels, and on the client side on the global and action levels. The more specific configuration overrides the more general configuration. This means, for example, that you can use ossl in global settings for most connections and gtls on the input and action settings only for specific connections.

Prerequisites

  • You have root access to both the client and server systems.

  • The following packages are installed on the server and the client systems:

    • The rsyslog package.
    • For the ossl network stream driver, the rsyslog-openssl package.
    • For the gtls network stream driver, the rsyslog-gnutls package.
    • For generating certificates by using the certtool command, the gnutls-utils package.

  • On your logging server, the following certificates are in the /etc/pki/ca-trust/source/anchors/ directory, and your system configuration is updated by using the update-ca-trust command:

    • ca-cert.pem - a CA certificate that can verify keys and certificates on logging servers and clients.
    • server-cert.pem - a public key of the logging server.
    • server-key.pem - a private key of the logging server.

  • On your logging clients, the following certificates are in the /etc/pki/ca-trust/source/anchors/ directory, and your system configuration is updated by using update-ca-trust:

    • ca-cert.pem - a CA certificate that can verify keys and certificates on logging servers and clients.
    • client-cert.pem - a public key of a client.
    • client-key.pem - a private key of a client.
    • If the server runs RHEL 9.2 or later and FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the TLS extension "Extended Master Secret" enforced article (Red Hat Knowledgebase).

Procedure

  1. Configure the server for receiving encrypted logs from your client systems:

    1. Create a new file in the /etc/rsyslog.d/ directory named, for example, securelogser.conf.

    2. To encrypt the communication, the configuration file must contain paths to certificate files on your server, a selected authentication method, and a stream driver that supports TLS encryption. Add the following lines to the /etc/rsyslog.d/securelogser.conf file: 

      # Set certificate files
global(
  DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/source/anchors/ca-cert.pem"
  DefaultNetstreamDriverCertFile="/etc/pki/ca-trust/source/anchors/server-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/pki/ca-trust/source/anchors/server-key.pem"
)

# TCP listener
module(
  load="imtcp"
  PermittedPeer=["client1.example.com", "client2.example.com"]
  StreamDriver.AuthMode="x509/name"
  StreamDriver.Mode="1"
  StreamDriver.Name="ossl"
)

# Start up listener at port 514
input(
  type="imtcp"
  port="514"
)
      Copy to Clipboard Toggle word wrap
      Note

      If you prefer the GnuTLS driver, use the StreamDriver.Name="gtls" configuration option. See the documentation installed with the rsyslog-doc package for more information about less strict authentication modes than x509/name.

    3. Optional: To customize the connection configuration, replace the input section with the following: 

      input(
  type="imtcp"
  Port="50515"
  StreamDriver.Name="<driver>"
  streamdriver.CAFile="/etc/rsyslog.d/<ca1>.pem"
  streamdriver.CertFile="/etc/rsyslog.d/<server1_cert>.pem"
  streamdriver.KeyFile="/etc/rsyslog.d/<server1_key>.pem"
)
      Copy to Clipboard Toggle word wrap
      • Replace <driver> with ossl or gtls depending on the driver you want to use.
      • Replace <ca1> with the CA certificate, <server1_cert> with the certificate, and <server1_key> with the key of the customized connection.
    4. Save the changes to the /etc/rsyslog.d/securelogser.conf file.

    5. Verify the syntax of the /etc/rsyslog.conf file and any files in the /etc/rsyslog.d/ directory: 

      # rsyslogd -N 1
rsyslogd: version 8.1911.0-2.el8, config validation run (level 1)...
rsyslogd: End of config validation run. Bye.
      Copy to Clipboard Toggle word wrap

    6. Make sure the rsyslog service is running and enabled on the logging server: 

      # systemctl status rsyslog
      Copy to Clipboard Toggle word wrap

    7. Restart the rsyslog service: 

      # systemctl restart rsyslog
      Copy to Clipboard Toggle word wrap

    8. Optional: If Rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

      # systemctl enable rsyslog
      Copy to Clipboard Toggle word wrap

  2. Configure clients for sending encrypted logs to the server:

    1. On a client system, create a new file in the /etc/rsyslog.d/ directory named, for example, securelogcli.conf.

    2. Add the following lines to the /etc/rsyslog.d/securelogcli.conf file: 

      # Set certificate files
global(
  DefaultNetstreamDriverCAFile="/etc/pki/ca-trust/source/anchors/ca-cert.pem"
  DefaultNetstreamDriverCertFile="/etc/pki/ca-trust/source/anchors/client-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/pki/ca-trust/source/anchors/client-key.pem"
)


# Set up the action for all messages
*.* action(
  type="omfwd"
  StreamDriver="ossl"
  StreamDriverMode="1"
  StreamDriverPermittedPeers="server.example.com"
  StreamDriverAuthMode="x509/name"
  target="server.example.com" port="514" protocol="tcp"
)
      Copy to Clipboard Toggle word wrap
      Note

      If you prefer the GnuTLS driver, use the StreamDriver.Name="gtls" configuration option.

    3. Optional: To customize the connection configuration, replace the action section with the following: 

      local1.* action(
  type="omfwd"
  StreamDriver="<driver>"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/certvalid"
  streamDriver.CAFile="/etc/rsyslog.d/<ca1>.pem"
  streamDriver.CertFile="/etc/rsyslog.d/<client1_cert>.pem"
  streamDriver.KeyFile="/etc/rsyslog.d/<client1_key>.pem"
  target="server.example.com" port="514" protocol="tcp"
  )
      Copy to Clipboard Toggle word wrap
      • Replace <driver> with ossl or gtls depending on the driver you want to use.
      • Replace <ca1> with the CA certificate, <client1_cert> with the certificate, and <client1_key> with the key of the customized connection.
    4. Save the changes to the /etc/rsyslog.d/securelogcli.conf file.

    5. Verify the syntax of the /etc/rsyslog.conf file and other files in the /etc/rsyslog.d/ directory: 

      # rsyslogd -N 1
rsyslogd: version 8.1911.0-2.el8, config validation run (level 1)...
rsyslogd: End of config validation run. Bye.
      Copy to Clipboard Toggle word wrap

    6. Make sure the rsyslog service is running and enabled on the logging server: 

      # systemctl status rsyslog
      Copy to Clipboard Toggle word wrap

    7. Restart the rsyslog service: 

      # systemctl restart rsyslog
      Copy to Clipboard Toggle word wrap

    8. Optional: If Rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

      # systemctl enable rsyslog
      Copy to Clipboard Toggle word wrap

Verification

To verify that the client system sends messages to the server:

  1. On the client system, send a test message: 

    # logger test
    Copy to Clipboard Toggle word wrap

  2. On the server system, view the /var/log/messages log, for example: 

    # cat /var/log/remote/msg/<hostname>/root.log
Feb 25 03:53:17 <hostname> root[6064]: test
    Copy to Clipboard Toggle word wrap

    Where <hostname> is the hostname of the client system. Note that the log contains the user name of the user who entered the logger command, in this case, root.

Configure the Rsyslog server to receive remote logs through the high-speed UDP protocol. UDP is suitable when log loss is acceptable, offering faster transmission than TCP.

To use remote logging through UDP, configure both the server and the client. The receiving server collects and analyzes the logs sent by one or more client systems. By default, rsyslog uses UDP on port 514 to receive log information from remote systems.

Prerequisites

  • Rsyslog is installed on the server system.
  • You are logged in as root on the server.
  • The policycoreutils-python-utils package is installed for the optional step that uses the semanage command.
  • The firewalld service is running.

Procedure

  1. Optional: To use a different port for rsyslog traffic than the default port 514:

    1. Add the syslogd_port_t SELinux type to the SELinux policy configuration, replacing portno with the port number you want rsyslog to use: 

      # semanage port -a -t syslogd_port_t -p udp portno
      Copy to Clipboard Toggle word wrap

    2. Configure firewalld to allow incoming rsyslog traffic, replacing portno with the port number and zone with the zone you want rsyslog to use: 

      # firewall-cmd --zone=zone --permanent --add-port=portno/udp
success
# firewall-cmd --reload
      Copy to Clipboard Toggle word wrap

    3. Reload the firewall rules: 

      # firewall-cmd --reload
      Copy to Clipboard Toggle word wrap

  2. Create a new .conf file in the /etc/rsyslog.d/ directory, for example, remotelogserv.conf, and insert the following content: 

    # Define templates before the rules that use them
# Per-Host templates for remote systems
template(name="TmplAuthpriv" type="list") {
    constant(value="/var/log/remote/auth/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

template(name="TmplMsg" type="list") {
    constant(value="/var/log/remote/msg/")
    property(name="hostname")
    constant(value="/")
    property(name="programname" SecurePath="replace")
    constant(value=".log")
    }

# Provides UDP syslog reception
module(load="imudp")

# This ruleset processes remote messages
ruleset(name="remote1"){
     authpriv.*   action(type="omfile" DynaFile="TmplAuthpriv")
      *.info;mail.none;authpriv.none;cron.none
action(type="omfile" DynaFile="TmplMsg")
}

input(type="imudp" port="514" ruleset="remote1")
    Copy to Clipboard Toggle word wrap

    Where 514 is the port number rsyslog uses by default. You can specify a different port instead.

  3. Verify the syntax of the /etc/rsyslog.conf file and all .conf files in the /etc/rsyslog.d/ directory: 

    # rsyslogd -N 1
rsyslogd: version 8.1911.0-2.el8, config validation run...
    Copy to Clipboard Toggle word wrap

  4. Restart the rsyslog service. 

    # systemctl restart rsyslog
    Copy to Clipboard Toggle word wrap

  5. Optional: If rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

    # systemctl enable rsyslog
    Copy to Clipboard Toggle word wrap

Configure a client system to send its logs to a remote server by using the UDP protocol. UDP is preferred when speed is critical and the occasional loss of a log message is acceptable.

The omfwd plugin provides forwarding over UDP or TCP. The default protocol is UDP. Because the plugin is built in, you do not have to load it.

Prerequisites

Procedure

  1. Create a new .conf file in the /etc/rsyslog.d/ directory, for example, 10-remotelogcli.conf, and insert the following content: 

    *.* action(type="omfwd"
      queue.type="linkedlist"
      queue.filename="example_fwd"
      action.resumeRetryCount="-1"
      queue.saveOnShutdown="on"
      target="example.com" port="portno" protocol="udp"
     )
    Copy to Clipboard Toggle word wrap

    Where:

    • The queue.type="linkedlist" setting enables a LinkedList in-memory queue.
    • The queue.filename setting defines a disk storage. The backup files are created with the example_fwd prefix in the working directory specified by the preceding global workDirectory directive.
    • The action.resumeRetryCount -1 setting prevents rsyslog from dropping messages when retrying to connect if the server is not responding.
    • The enabled queue.saveOnShutdown="on" setting saves in-memory data if rsyslog shuts down.
    • The portno value is the port number you want rsyslog to use. The default value is 514.

    • The last line forwards all received messages to the logging server, port specification is optional.

      With this configuration, rsyslog sends messages to the server but keeps messages in memory if the remote server is not reachable. A file on disk is created only if rsyslog runs out of the configured memory queue space or needs to shut down, which benefits the system performance.

    Note

    Rsyslog processes configuration files /etc/rsyslog.d/ in the lexical order.

  2. Restart the rsyslog service. 

    # systemctl restart rsyslog
    Copy to Clipboard Toggle word wrap

  3. Optional: If rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

    # systemctl enable rsyslog
    Copy to Clipboard Toggle word wrap

Verification

To verify that the client system sends messages to the server, follow these steps:

  1. On the client system, send a test message: 

    # logger test
    Copy to Clipboard Toggle word wrap

  2. On the server system, view the /var/log/remote/msg/hostname/root.log log, for example: 

    # cat /var/log/remote/msg/hostname/root.log
Feb 25 03:53:17 hostname root[6064]: test
    Copy to Clipboard Toggle word wrap

    Where hostname is the hostname of the client system. Note that the log contains the user name of the user that entered the logger command, in this case root.

5.8. Load balancing helper in Rsyslog
Copy link

Configure the load balancing helper in Rsyslog to distribute log traffic across multiple remote logging servers. This improves system resilience and prevents any single server from becoming overwhelmed.

When used in a cluster, you can improve Rsyslog load balancing by modifying the RebindInterval setting. This option specifies an interval at which the current connection is broken and is re-established. This setting applies to TCP, UDP, and RELP traffic. The load balancers perceive it as a new connection and forward the messages to another physical target system.

You can use RebindInterval in scenarios when a target system changes its IP address. The Rsyslog application caches the IP address when the connection is established. Therefore, the messages are sent to the same server. If the IP address changes, the UDP packets are lost until the Rsyslog service restarts. Re-establishing the connection ensures that the IP is resolved by DNS again.

Example 5.1. Usage of RebindInterval for TCP, UDP, and RELP traffic

action(type="omfwd" protocol="tcp" RebindInterval="250" target="example.com" port="514" …)

action(type="omfwd" protocol="udp" RebindInterval="250" target="example.com" port="514" …)

action(type="omrelp" RebindInterval="250" target="example.com" port="6514" …)
Copy to Clipboard Toggle word wrap

5.9. Configuring reliable remote logging
Copy link

Configure reliable remote logging with the Reliable Event Logging Protocol (RELP). This helps guarantee that log messages reach the central server, preventing data loss even during network outages.

With RELP, you can send and receive syslog messages over TCP with a much reduced risk of message loss. RELP reliably delivers event messages, making it useful in environments where message loss is not acceptable. To use RELP, configure the imrelp input module, which runs on the server and receives the logs, and the omrelp output module, which runs on the client and sends logs to the logging server.

Prerequisites

  • You have installed the rsyslog, librelp, and rsyslog-relp packages on the server and the client systems.
  • The specified port is permitted in SELinux and open in the firewall.

Procedure

  1. Configure the client system for reliable remote logging:

    1. On the client system, create a new .conf file in the /etc/rsyslog.d/ directory named, for example, relpclient.conf, and insert the following content: 

      module(load="omrelp")
*.* action(type="omrelp" target="_target_IP_" port="_target_port_")
      Copy to Clipboard Toggle word wrap

      Where:

      • target_IP is the IP address of the logging server.
      • target_port is the port of the logging server.
    2. Save the changes to the /etc/rsyslog.d/relpclient.conf file.

    3. Restart the rsyslog service. 

      # systemctl restart rsyslog
      Copy to Clipboard Toggle word wrap

    4. Optional: If rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

      # systemctl enable rsyslog
      Copy to Clipboard Toggle word wrap

  2. Configure the server system for reliable remote logging:

    1. On the server system, create a new .conf file in the /etc/rsyslog.d/ directory named, for example, relpserv.conf, and insert the following content: 

      ruleset(name="relp"){
*.* action(type="omfile" file="_log_path_")
}


module(load="imrelp")
input(type="imrelp" port="_target_port_" ruleset="relp")
      Copy to Clipboard Toggle word wrap

      Where:

      • log_path specifies the path for storing messages.
      • target_port is the port of the logging server. Use the same value as in the client configuration file.
    2. Save the changes to the /etc/rsyslog.d/relpserv.conf file.

    3. Restart the rsyslog service. 

      # systemctl restart rsyslog
      Copy to Clipboard Toggle word wrap

    4. Optional: If rsyslog is not enabled, ensure the rsyslog service starts automatically after reboot: 

      # systemctl enable rsyslog
      Copy to Clipboard Toggle word wrap

Verification

To verify that the client system sends messages to the server:

  1. On the client system, send a test message: 

    # logger test
    Copy to Clipboard Toggle word wrap

  2. On the server system, view the log at the specified log_path, for example: 

    # cat /var/log/remote/msg/hostname/root.log
Feb 25 03:53:17 hostname root[6064]: test
    Copy to Clipboard Toggle word wrap

    Where hostname is the hostname of the client system. Note that the log contains the user name of the user who entered the logger command, in this case, root.

5.10. Supported Rsyslog modules
Copy link

Extend Rsyslog functionality by using specific modules that provide additional input, output, or configuration directives that become available after you load the module. These modules customize how the application processes and handles log messages efficiently.

You can list the input and output modules installed on your system by entering the following command: 

# ls /usr/lib64/rsyslog/{i,o}m*
Copy to Clipboard Toggle word wrap

You can view the list of all available rsyslog modules in the /usr/share/doc/rsyslog/html/configuration/modules/idx_output.html file after you install the rsyslog-doc package.

Configure the netconsole service to forward kernel messages to a remote host. This helps capture critical kernel events, especially when the local system logging functions have failed.

When logging to disk or using a serial console is not possible, you can use the netconsole kernel module and the same-named service to log kernel messages over a network to a remote rsyslog service.

Prerequisites

  • A system log service, such as Rsyslog is installed on the remote host.
  • The remote system log service is configured to receive incoming log entries from this host.

Procedure

  1. Install the netconsole-service package: 

    # dnf install netconsole-service
    Copy to Clipboard Toggle word wrap

  2. Edit the /etc/sysconfig/netconsole file and set the SYSLOGADDR parameter to the IP address of the remote host: 

    # SYSLOGADDR=192.0.2.1
    Copy to Clipboard Toggle word wrap

  3. Enable and start the netconsole service: 

    # systemctl enable --now netconsole
    Copy to Clipboard Toggle word wrap

Verification

  • Display the /var/log/messages file on the remote system log server.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red Hat