Skip to content

As noted in Syslog Basics, relays are used to forward events from other sources to another server that needs to receive those logs (like LogZilla).

Syslog-ng

If your relay host uses syslog-ng, the following file may be used to forward events to LogZilla.

# This is for your *relay* server (not the LogZilla server)
# filename: /etc/syslog-ng/conf.d/logzilla-relay.conf

#Global Options
options {
  flush_lines(100);
  threaded(yes);
  use_dns(yes);
  use_fqdn (no);
  keep_hostname (yes);
  dns-cache-size(2000);
  dns-cache-expire(87600);
};

source s_network {

# port 514 (tcp) is used for RFC3164 formatted events coming in (standard BSD-style logs)
  network(
      transport("tcp")
      port(514)
  );

# port 514 (udp) is used for RFC3164 formatted events coming in (standard BSD-style logs)
  network(
      transport("udp")
      so_rcvbuf(1048576)
      flags("no-multi-line")
      port(514)
  );

# port 601 is for RFC5424 formatted events coming in (key=value pairs)
  network(
      transport("tcp")
      flags(syslog-protocol)
      port(601)
  );
};


destination d_logzilla {
  network(
    "<IP OR HOSTNAME OF LZ SERVER>"
    # for RFC3164/BSD:
    port(514)
    # or for RFC5424:
    # port(601)
    transport(tcp)
  );
};

log {
    source(s_logzilla);
    # disable s_src if you don't want local server events
    source(s_src);
    source(s_network);
    destination(d_logzilla);
    flags(flow-control);
};

Rsyslog

As noted in Syslog Basics, there are two formats used for the syslog protocol. Users may configure either RFC-3164-based forwarding or RFC-5424-based forwarding from their rsyslog relays.

RFC 3164 (default)

To forward logs to LogZilla using the standard format, create a file in /etc/rsyslog.d/ using a .conf extension (i.e. 20-logzilla.conf). This is the config file. Place the following line in that file:

*.*   action(type="omfwd" Target="${logzillaIP}" Port="514" Protocol="tcp")

Replace ${logzillaIP} with the IP Address (or resolvable name) of your LogZilla server.

After adding the new config file run:

service rsyslog restart

RFC 5424

To send messages using the RFC 5424 method, replace content of the config file with:

*.*   action(type="omfwd" Target="${logzillaIP}" Port="514" Protocol="tcp"
             Template="RSYSLOG_SyslogProtocol23Format")

Multiline logs

If your logs contain multiple lines (the messages have embedded newlines), then use RFC5424 protocol but also add TCP_Framing="octet-counted" to the action above, and change from port 514 to port 601. The configuration would then look like this:

*.*   action(type="omfwd" Target="${logzillaIP}" Port="601" Protocol="tcp"
             Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")

As an example, to read multiline events from the Tomcat log file this configuration could be used:

input(type="imfile"
    File="/var/log/tomcat.log"
    Tag="applog"
    Severity="info"
    escapeLF="off"
    startmsg.regex="^[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2},"
)

This help section is provided only as a courtesy. LogZilla Corporation does not provide support for products outside of our own software.