Log shipping with rsyslog

## Server /etc/rsyslog.conf ``` $ModLoad imtcp # # Disable rate-limiting # # "interval = 1 AND burst = 1000" means rsyslog starts dropping messages if more than 1000 messages are received within 1 seconds. $SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 0 ``` /etc/rsyslog.d/35-remote-logs.conf ``` input(type="imtcp" port="514" ruleset="remote") template(name="PerRemoteHostLogFileName" type="list") { constant(value="/var/log/hosts/") property(name="$year") constant(value="/") property(name="$month") constant(value="/") property(name="hostname" securepath="replace") constant(value="/") property(name="programname" securepath="replace") constant(value=".log") } ruleset(name="remote") { $FileCreateMode 0640 $DirCreateMode 0755 ?PerRemoteHostLogFileName } ``` ## Client /etc/rsyslog.conf ``` # Disable rate-limiting $SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 0 # # Send all logs to centralized log server over TCP # *.* @@{{log_server_ip_addr}} ```