How to configure rsyslog to write to a MySQL database and log to a remote servers on Ubuntu
Installing MySQL and rsyslog-MySQL
sudo apt-get install mysql-server rsyslog-mysql
- Set the root MySQL password when prompted and remember this password, since you will be using it in future;
- When installing the rsyslog-mysql package, you are prompted to create a database for the logging. Unless you know what you are doing, choose "YES" here;
- You will be prompted for the root MySQL password again, enter it;
- Then you will be prompted for a new password for the MySQL rsyslog user. You will need this password if you are going to be accessing the database later.
If it was not added, you need to add the MySQL module to your rsyslog configuration. In Ubuntu you can create a file in /etc/rsyslog.d/mysql.conf and add the following in the file:
$ModLoad ommysql
*.* :ommysql:localhost,Syslog,rsyslog,password
You will of course have to enter your rsyslog user's password where it states "password".
Then restart rsyslog with
sudo service rsyslog restart
At this point you will have a running rSyslog server that write the logs to the database and to the syslog files.
Remote logging
In the /etc/rsyslog.conf, uncomment the following 2 lines:
$ModLoad imudp
$UDPServerRun 514
To send all logs to the log server, edit /etc/rsyslog.d/50-default.conf, append the following rule to all default rules:
*.* @10.103.11.206
Restart rsyslog
sudo service rsyslog restart