On This Page
Sending TufinOS 4.x Logs to a Remote Host
Overview
RSyslog is a log processing utility that facilitates the sending of TOS internal log details to a remote syslog server.
This topic is not related to sending accountability or any other device information from devices to TOS.
We recommend not using the local logging of RSyslog because TufinOS 4 uses the systemd-journald service for system event interpretation and recording by default. Using the RSyslog for local logging will double the recorded system event messages and increase disk usage. However, if you decide to use RSyslog for local logging, do not change the RSyslog log rotation configuration in the file /etc/logrotate.d/syslog. Check the free space in the /var/log partition periodically. If you do not have at least 10% of the partition size as free space, disable RSyslog. For more information, see Disable Local Logging of RSyslog.
Prerequisites
Before you proceed, log in as a root user with root user environment variables. If you have logged in as a regular user, use the sudo su - command to switch to the root user. If the sudo command is not configured, use the su - command.
Check Current RSyslog
Confirm that an auditing RSyslog destination exists.
-
To determine if the RSyslog is already configured to send logs to a remote host, review the
/etc/rsyslog.confand/etc/rsyslog.d/*.conffiles and verify that logs are sent to a central host (whereloghost.example.comis the name of your central log host):grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.confgrep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.confThe output should include
target=<FQDN or IP of remote loghost>, for example:*.* action(type="omfwd" target="loghost.example.com" port="514" protocol="tcp"If this command is unsuccessful, use the following command instead:
grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.confgrep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.confThe output should include
@@<FQDN or IP of remote loghost>, for example:*.* @@loghost.example.com -
If RSyslog is configured to send logs to a remote host, verify that it is running and enabled.
-
Verify that the RSyslog service is running:
The expected result is active.
-
Verify that the RSyslog service is enabled:
The expected result is enabled.
-
Configure RSyslog
Use this procedure to activate RSyslog if it is not already active.
-
Create the
/etc/rsyslog.d/log_to_remote.conffile and add the following line (where<IP>is the IP address of your central log host and<port>is the port of your central log host). The target directive can be a Fully Qualified Domain Name (FQDN) or an IP address. -
Test the configuration syntax:
Verify that your output is similar to the following example:
rsyslogd: version 8.2102.0-15.el8, config validation run (level 1), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye.
Disable Local Logging of RSyslog
-
Locate and comment out these eight RSyslog rules in the configuration file
/etc/rsyslog.confas shown in this example: -
Test the configuration syntax:
Verify that your output is similar to the following example:
rsyslogd: version 8.2102.0-15.el8, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.Enable and Start the RSyslog Service
After you complete the RSyslog configuration, unmask, enable, and start the service.
-
Unmask the service:
-
Enable the service:
-
Start the service:
-
Check the service status:
Was this helpful?
Thank you!
We’d love your feedback
We really appreciate your feedback
Send this page to a colleague