When there are multiple interfaces present in a linux machine there are chances that the syslog traffic will be sent from the respective interface where the traffic is received. This will lead to have a single device send syslog traffic to our LCP with multiple source IP. This KB article contains the steps to configure rsyslog daemon to bind on a specific IP address and send syslog traffic to LCP with a unique source IP.
This is applicable to Centos, RHEL, Oracle Linux servers.
1. Using syslogd it is not possible to bind to a specific IP address or port so we need to install rsyslog package.
2. Install rsyslog package using yum
3. Edit /etc/sysconfig/rsyslog and update the below parameter values as like below
SYSLOGD_OPTIONS="-m 0 -r"
4. Add following parameters in /etc/rsyslog.conf below parameter $ModLoad imuxsock
$ModLoad imudp $UDPServerAddress <IP Address of any one of the local interface through which traffic needs to be forwarded> # this MUST be before the $UDPServerRun directive! $UDPServerRun 514
5. Restart rsyslogd service using the below command
service rsyslog restart
6. To confirm if the above changes done are working fine please use the below command,
7. You can bind UDP IP:PORT combination using the above instructions, the same values will not work while binding to TCP IP:PORT combinations. Therefore, one can select a specific TCP port for binding, but not which interface rsyslogd gets bound to.
Subscribing will provide email updates when this Article is updated. Login is required.